token authentication does not log out existing user #1644

ericmnel opened this Issue Feb 13, 2012 · 6 comments

6 participants


If you are authenticated as user A on a web browser session, and then click a token authentication link for user B, it keeps you logged in as user A.

In order to get the token authentication link to work you have to be logged out manually, it does not automatically log out user A and log in user B.

Plataformatec member

Yes, the token authentication does not even get to be validated if the user is already signed in. If this is the scenario you want, you should probably create your own authentication entry point or manage the token by yourself.

@josevalim josevalim closed this Feb 13, 2012

This is how I dealt with it, in case anybody else needs to have a token authentication that will log out existing users
before logging in with the token:

def token_login
token = params[:token]

  if token == nil
     ERROR_LOG.create "Missing parameter \'token\'"
     redirect_to root_path
     when current_login == nil
        INFO_LOG.create "Token login without current login"
     when current_login.authentication_token == token
        INFO_LOG.create "Token login, already logged in"
        redirect_to root_path
        INFO_LOG.create "Token login, signing out current login #{}"
        sign_out current_login

     redirect_to "#{root_path(:auth_token => token)}"



I had the same need as @ericmnel and solved it by adding a before_filter to the application controller:

def sign_out_if_token_present
  if params[:auth_token].present? and (params[:auth_token] != current_user.authentication_token)
    sign_out current_user

Thanks @seanrucker!


Thank you! I was having the same problem 👍


Simple and effective solution - thanks @seanrucker!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment