Devise No route matches [GET] "/users/sign_out" from link with delete specified

Question

So I looked around for a solution to this issue and most seem to say the same thing which hasn't done much to solve my problem. I've specified the delete method in the link but the routing error is saying it was a GET request. Any ideas why the link below would wind up making a overriding/ignoring the method declaration?

<%= link_to "sign out", destroy_user_session_path, :method => :delete %>

Routes

  devise_for :users do
    get 'logout' => 'sessions#destroy', :as => :destroy_user_session
    get 'login' => 'devise/sessions#new'
  end

Could you post the logs for a request with the error? Could you post the HTML that gets generated for this link? — carols10cents, Oct 16 '13 at 21:19

score 4 · Answer 1 · answered Oct 16 '13 at 22:15

4

In your config/initializers/devise.rb change the default HTTP method used to sign out a resource to :get. The default is :delete.

config.sign_out_via = :get

answered Oct 16 '13 at 22:15

Adam Jonas

164
1
11

1

This worked for me, but seems to open my site up to security risks. Do you agree this adds risk to a site? – thatdankent Feb 12 '14 at 14:40
I don't think it's a security risk, it just makes it easier to log people out. – Adam Jonas Aug 05 '14 at 15:05

score 2 · Accepted Answer · answered Nov 26 '13 at 02:35

Don't use GET to destroy a session because it opens you up to CSFR, which isn't that big deal of a deal in this case - but still not a good thing to do). And, it doesn't follow REST conventions.

If you're using SSL for Devise routes, what's happening is when you try to sign out from an 'http' url, it's sending a DELETE request properly but then redirecting to the 'https' version via GET.

Fix this by adding (protocol: 'https') to the sign out url like so:

= link_to "Logout", destroy_user_session_url(protocol: 'https'), method: :delete

Note: it's important to use 'url' instead of 'path'.

Hope that helps.

score 1 · Answer 3 · answered Feb 12 '14 at 14:38

1

What I did was change:

get 'logout' => 'sessions#destroy', :as => :destroy_user_session

to

delete 'logout' => 'sessions#destroy', :as => :destroy_user_session

and changed:

destroy_user_session_path

to

destroy_user_session_url

and I commented out:

config.sign_out_via = :get

in config/initializers/devise.rb because the default is :delete (which is conventional and secure).

Happy coding!

answered Feb 12 '14 at 14:38

thatdankent

950
8
15

Thanks. This worked for me. My devise.rb file already had config.sign_out_via = :delete in it, but once I commented that out, then it worked fine. I'm wondering if that means I'm using :get now. – Ryan Aug 16 '14 at 00:32

score 0 · Answer 4 · answered Oct 16 '13 at 21:24

I think it's because you use 'get' instead a 'delete' in the declaration of route. Try change 'get' by 'delete' in 'logout' route:

  devise_for :users do
    delete 'logout' => 'sessions#destroy', :as => :destroy_user_session
    get 'login' => 'devise/sessions#new'
  end

score 0 · Answer 5 · answered Mar 28 '14 at 11:23

0

Check whether you have include jquery and jquery_ujs

<%= javascript_include_tag "jquery", "jquery_ujs" %>

If not include it. It is solve this problem.

answered Mar 28 '14 at 11:23

Amrit Dhungana

4,371
5
31
36

score 0 · Answer 6 · answered Apr 05 '22 at 02:04

0

In my case, using button_to instead of link_to solved my problem:

<%= button_to "Log out", destroy_user_session_path, method: 'delete' %>

This answer helped me.

answered Apr 05 '22 at 02:04

Gabriel Guérin

430
2
13

Devise No route matches [GET] "/users/sign_out" from link with delete specified

6 Answers6

Linked