Rails 2.x has cross site request forging prevention feature. By defautl, all non-GET requests will be checked with a session token field to all forms.

As the MootTools AutoCompleter uses 'POST' requests by default, you will run into the following problem:

Processing TypusExtrasController#autocomplete_place (for 127.0.0.1 at 2008-09-12 13:02:30) [POST]
Session ID: BAh7DToMdXNlcl9pZGkEde1AOjoMY2l0eV9pZGkGOgljaXR5Ig5iYXJjZWxv
cHVzaQY=--d44a8439a97a5da236cea2f22dceb239456a3ed1
Parameters: {"action"=>"autocomplete_place", "value"=>"A", "controller"=>"typus_extras", "model"=>"places"}

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
/usr/lib/ruby/gems/1.8/gems/actionpack-2.1.1/lib/action_controller/request_forgery_protection.rb:86:in `verify_authenticity_token'

The solution is add a parameter to the javascript of the Autocompleter so it uses 'GET' requests instead:

var completer = new Autocompleter.Ajax.Json(el, '/admin/places/autocomplete_place', {
  minLength: 1,
                      ajaxOptions: {method: 'get'}
...