Stop Devise from Clearing Session

Stop Devise from clearing session

The destroy¹ method of SessionsController contains the following line:

signed_out = Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)

The sign_out_all_scopes² method calls warden.logout without any arguments, and the sign_out³ method calls warden.logout(scope).

The documentation of the logout⁴ method states:

# Logout everyone and clear the session
env['warden'].logout

# Logout the default user but leave the rest of the session alone
env['warden'].logout(:default)

Conclusion: sign_out should preserve the session when given a specific scope. However, I don't see any way to do that. sign_out_all_scopes is always called first, and will only return false if it couldn't log any user out.

I recommend either posting a feature request on their issue tracker or developing your own authentication solution. Rails now provides has_secure_password, and these days people seem to be going for the latter in order to avoid running into these problems.

---

¹ Devise::SessionsController#destroy

² Devise::Controllers::Helpers#sign_out_all_scopes

³ Devise::Controllers::Helpers#sign_out

⁴ Warden::Proxy#logout

How to devise destroy session and sign out from controller?

So I ended up solving this by creating a custom signout route

  devise_scope :user do
    get '/signout', to: 'devise/sessions#destroy', as: :signout
  end

and in my controller I have:

if something_is_not_kosher
  redirect_to signout_path and return
end

Stop devise from automatically creating a session after a successful registration

Simple solution: DON'T include the :registerable module in the model. I have it in for Admin, out for Tester.

How do I avoid a redirect when the user signs out in Devise?

You can change the behaviour by overriding Devise::SessionsController and the #destroy method:

class MySessionsController < Devise::SessionsController
  def destroy
    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
    # the `now: true` option sets the flash for this request 
    set_flash_message! :notice, :signed_out, now: true if signed_out
    respond_to do |format|
      format.all { head :no_content }
      format.any(*navigational_formats) { render 'something' }
    end
  end
end

You also need to tell the router to route to your custom controller:

# config/routes.rb
devise_for :users, controllers: { sessions: "my_sessions" }

Devise destroy session doesn't destroy the session?

This is how i have implemented this so known to work:

  devise_scope :user do
    match "sign_out", :to => "sessions#destroy", via: [:delete]
  end

<%= link_to sign_out_path, :method => "DELETE" do %>

<% end%>

Rails Disable devise flash messages

Probably the easiest way to do this is to

1. Define each message as a blank string
2. Check the length of the string before you show a flash message.

In your devise.en.yml file, specify each message as empty:

en:
  errors:
    messages:
      not_found: ''
      already_confirmed: ''
      not_locked: ''

etc. Next, in your layout, check for blank flash strings before you output them.

<% flash.each do |key, value| %>
  <%= content_tag :div, value, :class => "flash #{key}" unless value.blank? %>
<% end %>

---

Related Topics