The config.allow_insecure_sign_in_after_confirmation flag is no longer supported in Devise.
While you should be aware of the possible security concerns of automatically logging users in when they confirm their account (http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/), for some apps the benefit in terms of user experience may be worth the security tradeoff.
After all, the security risk is that a) the user mis-types their email, b) they don’t immediately correct their mistake, c) the email they typed corresponds to a valid and working email, d) the person who incorrectly receives the email opens it and clicks the link.
If this is an acceptable risk profile for your application, you can override the devise ConfirmationsController:
class ConfirmationsController < Devise::ConfirmationsController
def show
self.resource = resource_class.confirm_by_token(params[:confirmation_token])
yield resource if block_given?
if resource.errors.empty?
set_flash_message(:notice, :confirmed) if is_flashing_format?
sign_in(resource) # <= THIS LINE ADDED
respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
else
respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
end
end
end
And route to it in your routes.rb:
devise_for :users, controllers: { confirmations: 'confirmations' }