Disable storage on CSRF

lib/devise/controllers/helpers.rb

@@ -255,6 +255,7 @@ module Devise
       def handle_unverified_request
         sign_out_all_scopes
         warden.clear_strategies_cache!
+        request.env["devise.skip_storage"] = true
         expire_devise_cached_variables!
         super # call the default behaviour which resets the session
       end

lib/devise/strategies/authenticatable.rb

@@ -9,7 +9,7 @@ module Devise
       attr_accessor :authentication_hash, :authentication_type, :password
 
       def store?
-        !mapping.to.skip_session_storage.include?(authentication_type)
+        super && !mapping.to.skip_session_storage.include?(authentication_type)
       end
 
       def valid?

lib/devise/strategies/base.rb

@@ -2,6 +2,11 @@ module Devise
   module Strategies
     # Base strategy for Devise. Responsible for verifying correct scope and mapping.
     class Base < ::Warden::Strategies::Base
+      # Whenever CSRF cannot be verified, we turn off any kind of storage
+      def store?
+        !env["devise.skip_storage"]
+      end
+
       # Checks if a valid scope was given for devise and find mapping based on this scope.
       def mapping
         @mapping ||= begin