It’s an interesting problem, really, for all you Devise masters you there.

We have Devise setup with OmniAuth, but the issue happens regardless if you are logged in via Facebook, or logged in via a normal username. What happens is we have a Flash game embedded on our website. When you finish playing the game, the game will submit your score to the Rails backend:

request = new URLRequest("http://mydomain.com:2012/games/1/leaderboards/13/submitLeaderboardStatistic");
request.method = URLRequestMethod.POST; 

var loader : URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.VARIABLES;
var variables : URLVariables = new URLVariables();
variables.game_value = aScore;
variables.game_id = 1;
variables.unique_identifier = "com.onecoolgameaday.highscores";
variables.time_stamp = new Date();

request.data = variables;  

loader.addEventListener(Event.COMPLETE, on_complete);
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOError);
loader.load(request);

The URL is sent out to our URL. The Controller (Leaderboards are nested underneath Games) gets the url information in the submitLeaderboardStatistic method. This method deals with the information. In this method, I call current_user to get the current User, the one who submitted the actual score. Problem is, current_user returns nil.

Apparently, what is happening, is once the game Launches that URL POST request, devise invalidates the session (or something), so I cannot tell who submitted the score.

Why is the current signed in user being “kicked off” once the Flash Game send the URL? How do I fix this so I can say “user XXX submitted this score.”

Thank you!

Rails: 3.2.2
Ruby: 1.9.2
Devise: 1.5.3