After upgrading to Rails 3.2.2 and Devise 2.0.4, logout does not destroy session

Question

After upgrading my rails project to rails 3.2.2 and Devise 2.0.4, I am no longer able to logout. I am not experiencing this issue; instead, clicking logout does not properly leave me in a logged-out state, the user object is still valid and there is still a current_user. Here is what is in my logs:

Started DELETE "/users/sign_out" for 127.0.0.1 at 2012-03-16 20:54:56 -0400
Processing by Devise::SessionsController#destroy as */*
Redirected to http://localhost:3000/
Completed 302 Found in 1ms (ActiveRecord: 0.0ms)

So, it's being routed correctly. I attempted to reinstall devise with no luck.

In my attempts to debug, I inserted the line:

= session.inspect

Into my template. What I found is the following:

{"session_id"=>"XXXXXXXXXX4b2aa9600eb3bee9921e05", "warden.user.user.key"=>["User", [1], "$2a$10$3/l/XXXXXXXXXXdhS.KCRe"], "_csrf_token"=>"XXXXXXXXXXVSp805CEN8U+GA4FcSWupcVLPH1RoacE8="}

Session_id and _csrf_token would change after every attempted logout, but warden.user.user.key would not change. (Note that I have blanked out the initial 10 chars of each string).

Can anyone explain this behavior?

Thanks!

Answer 1

I think this has something to do with a pre-Devise 2.0.4 session cookie. When I open up "Incognito" in my Chrome, it works as expected.