Avoid sign-in after confirmation link click using devise gem?

Question

I am using devise gem, after clicking on the confirmation link, I want to directly sign-in. At present it is asking to sign-in again.

Recently I have added the following in the devise initialize file:

config.allow_insecure_token_lookup = true config.secret_key = 'a8d814803c0bcc735ce657adc77793459d00154cdd7532c13d3489600dc4e963f86e14beb593a32cbe9dbbe9197c9ce50a30102f363d90350052dc8d69930033' 

Any suggestions?

Answer 1

In previous Devise versions, the user was automatically signed in after confirmation. This meant that anyone that could access the confirmation e-mail could sign into someone’s account by simply clicking the link.

Automatically signing the user in could also be harmful in the e-mail reconfirmation workflow. Imagine that a user decides to change his e-mail address and, while doing so, he makes a typo on the new e-mail address. An e-mail will be sent to another address which, with the token in hands, would be able to sign in into that account.

If the user corrects the e-mail straight away, no harm will be done. But if not, someone else could sign into that account and the user would not know that it happened.

For this reason, Devise 3.1 no longer signs the user automatically in after confirmation. You can temporarily bring the old behavior back after upgrading by setting the following in your config/initializers/devise.rb:

config.allow_insecure_sign_in_after_confirmation = true

This option will be available only temporarily to aid migration.

Answer 2

The config.allow_insecure_sign_in_after_confirmation flag is no longer supported in Devise.

While you should be aware of the possible security concerns of automatically logging users in when they confirm their account (http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/), for some apps the benefit in terms of user experience may be worth the security tradeoff.

After all, the security risk is that a) the user mis-types their email, b) they don't immediately correct their mistake, c) the email they typed corresponds to a valid and working email, d) the person who incorrectly receives the email opens it and clicks the link.

If this is an acceptable risk profile for your application, you can override the devise ConfirmationsController:

class ConfirmationsController < Devise::ConfirmationsController   def show     self.resource = resource_class.confirm_by_token(params[:confirmation_token])     yield resource if block_given?      if resource.errors.empty?       set_flash_message(:notice, :confirmed) if is_flashing_format?       sign_in(resource) # <= THIS LINE ADDED       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }     else       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }     end   end end 

And route to it in your routes.rb:

devise_for :users, controllers: { confirmations: 'confirmations' }