Adding authentication constraint with Devise

I'm working on a Rails 3.1 application with Devise for the authentication part. In my application, I have sites and users, with users having access only to some sites (defined at the user's creation). What I'm trying to do is that at sign in, in addition to provide email and password, the user must choose a site and the sign in succeeds only if the chosen site is one of the sites the user has access to. In order to do that, what I did is overriding the Devise::SessionsController like this:

class SessionsController < Devise::SessionsController
  def create
    user = User.find_by_email params[:user][:email]
    site = Site.find_by_id params[:user][:site_id]
    if user && user.can_access_site?(site)
      super
      if user_signed_in?
        user_session[:site_id] = site.try(:id)
      end
    else
      redirect_to new_user_session_path, :alert => t('devise.failure.invalid')
    end
  end
end

But it doesn't work: the user authentication seems to have already been done (i.e. @current_user is set) before my call to super. Any idea how I could achieve what I'm trying to do? 开发者_JAVA百科Thx!