Menu
So I looked around for a solution to this issue and most seem to say the same thing which hasn't done much to solve my problem. I've specified the delete method in the link but the routing error is saying it was a GET request. Any ideas why the link below would wind up making a overriding/ignoring the method declaration?
<%= link_to "sign out", destroy_user_session_path, :method => :delete %>
Routes
devise_for :users do
get 'logout' => 'sessions#destroy', :as => :destroy_user_session
get 'login' => 'devise/sessions#new'
end
211
asked Oct 23 '25 08:10
In your config/initializers/devise.rb change the default HTTP method used to sign out a resource to :get. The default is :delete.
config.sign_out_via = :get
72
answered Oct 24 '25 22:10
Don't use GET to destroy a session because it opens you up to CSFR, which isn't that big deal of a deal in this case - but still not a good thing to do). And, it doesn't follow REST conventions.
If you're using SSL for Devise routes, what's happening is when you try to sign out from an 'http' url, it's sending a DELETE request properly but then redirecting to the 'https' version via GET.
Fix this by adding (protocol: 'https') to the sign out url like so:
= link_to "Logout", destroy_user_session_url(protocol: 'https'), method: :delete
Note: it's important to use 'url' instead of 'path'.
Hope that helps.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
