Merge pull request #2427 from plataformatec/issue-2421

redirect user to the referrer if latest request was not GET after timeout

lib/devise/failure_app.rb

@@ -78,7 +78,14 @@ module Devise
     def redirect_url
       if warden_message == :timeout
         flash[:timedout] = true
-        attempted_path || scope_path
+
+        path = if request.get?
+          attempted_path
+        else
+          request.referrer
+        end
+
+        path || scope_path
       else
         scope_path
       end

test/integration/timeoutable_test.rb

@@ -45,6 +45,16 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test 'time out user session after deault limit time and redirect to latest get request' do
+    user = sign_in_as_user
+    visit edit_form_user_path(user)
+
+    click_button 'Update'
+    sign_in_as_user
+
+    assert_equal edit_form_user_url(user), current_url
+  end
+
   test 'time out is not triggered on sign out' do
     user = sign_in_as_user
     get expire_user_path(user)

test/rails_app/app/controllers/users_controller.rb

@@ -8,6 +8,14 @@ class UsersController < ApplicationController
     respond_with(current_user)
   end
 
+  def edit_form
+    user_session['last_request_at'] = 31.minutes.ago.utc
+  end
+
+  def update_form
+    render :text => 'Update'
+  end
+
   def accept
     @current_user = current_user
   end

test/rails_app/app/views/users/edit_form.html.erb

@@ -0,0 +1 @@
+<%= button_to 'Update', update_form_user_path(current_user), method: 'put' %>

test/rails_app/config/routes.rb

@@ -1,8 +1,12 @@
 Rails.application.routes.draw do
   # Resources for testing
   resources :users, :only => [:index] do
-    get :expire, :on => :member
-    get :accept, :on => :member
+    member do
+      get :expire
+      get :accept
+      get :edit_form
+      put :update_form
+    end
 
     authenticate do
       post :exhibit, :on => :member