Please read for an updated status on RailsCasts:
Learn more or hide this
GitHub User: gilsilas
I think it's important to mention that when you set @current_user with cookie instead of session you lose the efficiency of rails CSRF protection.
It's happen because when rails protect_from_forgery method identify CSRF attack it's reset only the session and not the user's cookies.
To fix it you need to override handle_unverified_request()
at MODULE ActionController::RequestForgeryProtection::ClassMethods
and define it to delete auth_token cookie