Please read for an updated status on RailsCasts:
Learn more or hide this
GitHub User: gabrielso
disclaimer: the cookie injection code is only an example.
The :auth_token is "text plain" accessible in the cookie (since signing it would not help), capturing it would give access (a valid current_user) to any one who knows how to inject it later, no need to a password-based authorization process... wouldn't be wise to generate a new :auth_token for the current_user and save it before SessionsController#destroy?
-> Kind of have no time to read all the comments, sorry if the subject have already been discussed.