So my application is using Devise to manage authentication. I recently added a logout button to the app and it seemed to work fine redirecting to the login screen. However today I was running some tests on the login screen and found that I was still logged into the app even after using the logout routine.
In my initializer I have:
config.sign_out_via = :delete
My logout link looks like this:
<%= link_to "Log out", destroy_user_session_path, :method => :delete %>
I have a check on ApplicationController to see if the user is required to be logged in:
class ApplicationController < ActionController::Base
before_filter :require_login
...
def after_sign_out_path_for(resource_or_scope)
login_path # displays login page
end
def require_login
redirect_to login_url unless current_user && user_signed_in?
end
For some reason the user_signed_in? check is still returning true even after the clicking the logout link. So I can still go back into the application without having to re-enter my credentials. This obviously shouldn't be the case.
UPDATE:
Here is the output from the server log:
Started DELETE "/users/sign_out" for 127.0.0.1 at 2014-07-03 13:05:07 +1000 Processing by Devise::SessionsController#destroy as HTML Parameters: {"authenticity_token"=>"Na06x5aAzq/XVhJKrxKEIoh/Bly53fIAq0KEQTG hmM="}
Can't verify CSRF token authenticity
UPDATE 2:
I just noticed now that when I try to log into the app using different login details it isn't working. Since I'm not being logged out it looks like it's skipping the login routine and redirecting me back in. I know that this was working previously so something has changed since to break this functionality.
