Rails devise does not start session after registration

Question

I am running a rails 4 app with devise 3.2.2 .

When a user confirms the registration from the email link, the session does not start. The user has to go through auth again.

Expected: Confirming registration results in a fully authed session on the webpage.

in the model

user.rb

devise :database_authenticatable, :registerable, :confirmable,
        :recoverable, :rememberable, :trackable, :validatable

session_store.rb:

Thumbs::Application.config.session_store :cookie_store, key: '_my_session'

While this might be obvious to many people, I am struggling a bit with this. Can somebody give a helping hand?

Answer 1

This used to be what happened, but it was before Devise 3.1. Since Devise 3.1, the approach is for users not to be logged in automatically after clicking on the link in their confirmation email. This is more secure as it guards against the case where somebody else gets hold of their email (or they just misspell their address when registering and it happens to be an address belonging to someone else so their confirmation is successfully sent to the wrong person) and the other person can then use the link to immediately log in to their account.

For 3.1 only, there was an option to allow the old behaviour. You could set a flag config.allow_insecure_sign_in_after_confirmation to enable the automatic sign-in after clicking on the confirmation link. However, this was a temporary feature and was removed in 3.2. You can see the commit which removed it here (which also removed looking up un-hashed confirmation/lock tokens, which was another change made to improve security):

https://github.com/plataformatec/devise/commit/6b3b0c5e8c57253d3d178def678ccc26e66cd630

Here's the blog post which announced the change to the more secure approach for 3.1:

http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/