api - EmberAuth and Rails 3 - session cookie sticks around after signout, rails treats user as authenticated -

i have ember app accessing rails api devise authentication, more or less following ember-auth-demo github project.

everything works, in testing i've noticed if sign in , out , try register new account, rails complains with:

filter chain halted :require_no_authentication rendered or redirected completed 302 found in 2ms (activerecord: 0.2ms) 

googling has revealed prevent authenticated users creating new accounts, seems sound policy shouldn't circumvent.

however, it's curious because front-end ember app not in authenticated state. looking @ local cookie store, remember_token destroyed on signout. session cookie still hanging around. if manually destroy that, working expected, user not considered authenticated back-end app , processes request normally.

for brevity, relevant files in gist: https://gist.github.com/dvg/5975064 , sign_out functions here:

#emberauth signout method app.applicationcontroller = ember.controller.extend   signout: ->     app.auth.signout()     app.auth.destroysession()  #rails sessionscontroller#destroy def destroy   return missing_params unless params[:auth_token]    resource = resource_class.find_by_authentication_token(params[:auth_token])   return invalid_credentials unless resource    resource.reset_authentication_token!   render json: {user_id: resource.id}, status: 200 end 

the issue was storing token in session. had disable with:

config.skip_session_storage = [:http_auth, :token_auth] 

in devise initializer