InvalidAuthenticityToken in Devise::SessionsController#destroy (sign out after already having signed out)

Question

I am using Devise 3.2.0 for authentication and found an issue when I do the following:

• tab 1: sign in to app
• tab 2: go to any page in the app
• tab 2: sign out (success)
• tab 1: sign out (failure - see exception below)

Exception raised:

ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy

In the development log I see:

Can't verify CSRF token authenticity

And the top three lines of the stack trace are:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  actionpack (4.0.0) lib/action_controller/metal/request_forgery_protection.rb:163:in `handle_unverified_request'
  actionpack (4.0.0) lib/action_controller/metal/request_forgery_protection.rb:170:in `handle_unverified_request'
  devise (3.2.0) lib/devise/controllers/helpers.rb:198:in `handle_unverified_request'

How can I ensure successive sign outs don't raise an exception?

Answer 1

This bug was fixed in devise 3.3.0.

• see the change log for 3.3.0
• see the file changes in pull request #2968
• note already_signed_out in config/locales/en.yml