Rails 3 - basic http authentication vs authentication token with iphone
The way that HTTP authentication works, once a browser is logged in (i.e. is sending WWW-Authenticate
headers), it will stay logged in until its HTTP authentication cache is expired (usually when you exit the browser).
Since browsers continue to send valid credentials in HTTP authentication (there is no "HTTP logout"), that's why you're seeing the user still logged in.
My recommendation is to use the authentication_token
functionality in Devise and pass ?auth_token
to your APIs. Keep in mind that you have to pass them as part of the URL even if it is a POST/DELETE/PUT/etc. (this is a Devise bug that may be fixed by now).