diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2bc32695..a1c4e238 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,7 +2,7 @@ class ApplicationController < ActionController::Base
   layout :layout_by_resource
   
   
-  protect_from_forgery
+  #protect_from_forgery
 
   private
 
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 1d8db856..51c2fdce 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -1,5 +1,5 @@
 class UserController < ApplicationController
-  before_filter :allow_mobile #, :authenticate_user!
+  before_filter :allow_mobile, :authenticate_user!
   layout 'phone'
 
   alias :list :active_list
diff --git a/app/models/user.rb b/app/models/user.rb
index 864eb11a..3301dea2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,12 +3,15 @@ class User
   include Devise::Orm::SimplyStored
   property :active_list_id
 
-  devise :database_authenticatable, :recoverable, :rememberable, :trackable, :registerable
+  devise :database_authenticatable, :recoverable, :rememberable, :trackable, :registerable, :token_authenticatable
 
   has_and_belongs_to_many :lists, storing_keys: false
   has_many :orders
 
   validates_uniqueness_of :email
+  before_save :ensure_authentication_token
+
+  view :by_authentication_token, key: :authentication_token
 
   def list_is_closed!
     self.active_list_id = nil
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 9808954c..9a867866 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -55,10 +55,10 @@ Devise.setup do |config|
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:token]` will
   # enable it only for token authentication.
-  # config.http_authenticatable = false
+   config.http_authenticatable = [:token]
 
   # If http headers should be returned for AJAX requests. True by default.
-  # config.http_authenticatable_on_xhr = true
+  config.http_authenticatable_on_xhr = true
 
   # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
@@ -176,7 +176,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :token_authenticatable
   # Defines name of the authentication token params key
-  # config.token_authentication_key = :auth_token
+  config.token_authentication_key = :auth_token
 
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
diff --git a/config/routes.rb b/config/routes.rb
index 5ab5556d..97bb6d82 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -38,9 +38,10 @@ Qrammer::Application.routes.draw do
 
   # USER
   default_url_options format: 'html', host: 'bladiblah'
-  match '/user' => 'user#home', as: :user_root
+  match '/user' => redirect('/user/home.html')
+  match '/user/home' => 'user#home', as: :user_root
   get '/user/active_list(.:format)' => 'user#active_list', as: :user_active_list
-  get '/user/list_info' => 'user#list_info', as: :user_list_info
+  match '/user/list_info' => 'user#list_info', as: :user_list_info, via: [:get, :options]
   post '/user/needs_help' => 'user#needs_help', as: :user_needs_help
   post '/user/list_needs_payment' => 'user#list_needs_payment', as: :user_list_needs_payment
   match '/user/create_list' => 'user#create_list', as: :user_create_list
diff --git a/make_android b/make_android
new file mode 100755
index 00000000..a59c2c22
--- /dev/null
+++ b/make_android
@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+rm -rf public/assets;
+RAILS_ENV=production rake assets:precompile; 
+RAILS_ENV=production rails runner script/build_mobile_app.rb
diff --git a/script/build_mobile_app.rb b/script/build_mobile_app.rb
index 2963594d..b2f6eb23 100644
--- a/script/build_mobile_app.rb
+++ b/script/build_mobile_app.rb
@@ -36,7 +36,7 @@ for action in uc.action_methods
     puts "action #{action} found"
     result = uc.render_to_string(action: action.dup)
     #result.sub! /<head>/, '<head><base href="file:///Users/bterkuile/Documents/workspace/Qwaiter/assets/" target="_self" />'
-    result.gsub! /(href|src)="([^#])/, %|\\1="#{root_url}\2|
+    result.gsub! /(href|src)="([^#])/, %|\\1="#{root_url}\\2|
     File.open(File.join(android_root, 'user', "#{action}.html"), 'w'){|f| f.puts result}
   end
 end