Why does devise prompt me with basic auth when I'm already signed in?

Devise has been my go to authentication plugin for the past few Rails 3 projects I've worked on. In the current project, I'm using a vanilla install of devise with a user model using the default configuration module开发者_如何学Cs.

Whenever I click a link that does an ajax post to a controller that uses Devise's:

before_filter :authenticate_user!

it prompts me for basic authentication. I've never seen this happen before, and I was wondering if anyone has an idea as to what might be causing it.

AJAX is going to be (usually) a content_type of javascript or json.

In cases like this, devise is not going to redirect you to the login page, it will issue a 401 response code (login required). Your browser gets the 401 and gives you the change to login with HTTP authentication.

You will probably want to check on your view if the user is logged in before sending the ajax information to the protected endpoint.

http://jasoncodes.com/posts/rails-csrf-vulnerability

The above link mentions that Rails requires an auth token with all "with each non-GET Ajax request"s to Devise. (because of the protection from forgery stuff)

The article mentions how to do it, too, but I'm still figuring that part out.

If you DON'T do that, then Rails seems to require you to log in a second time (usually only once).