I had the same problem and the following code seems to work for me.
Assume that the passwords controller is set for a singleton route. Also, assume that the authenticated model is an Account. With that, you have the following:
def update
if current_account.update_with_password(params[:account])
sign_in(current_account, :bypass => true)
flash[:notice] = 'Password updated.'
redirect_to account_path
else
render :action => :show
end
end
The key ingredient is the sign_in method call which seeks to re-sign-in the account, but bypasses the warden callbacks and stores the account into the session.