InvalidAuthenticityToken in Devise::SessionsController#destroy (sign out after already having signed out)

Here is whats happening,

When you initially signed out from tab 2, session and authenticity_token associated with the logged in user was destroyed. When you try to sign out from tab 1, Devise again tries to destroy the session using the authenticity_token which was destroyed on tab 2.

Hence, you get the error ActionController::InvalidAuthenticityToken as devise fails to authenticate using the given authenticity_token.

You only get one unique session per sign in, if that gets destroyed you'll have nothing to destroy again.

EDIT

This behavior is not provided by Devise. If you wish to implement such behavior you will have to override SessionsController.

Create a sessions_controller.rb file in app/controllers/users directory

class Users::SessionsController < Devise::SessionsController
  prepend_before_filter :verify_user, only: [:destroy]

  private
  ## This method intercepts SessionsController#destroy action 
  ## If a signed in user tries to sign out, it allows the user to sign out 
  ## If a signed out user tries to sign out again, it redirects them to sign in page
  def verify_user
    ## redirect to appropriate path
    redirect_to new_user_session_path, notice: 'You have already signed out. Please sign in again.' and return unless user_signed_in?
  end
end

Update routes.rb

devise_for :users, :controllers => { :sessions => "users/sessions" }

A simple solution to this problem could also be allowing sign outs via GET rather than DELETE. In devise.rb you can simply change to:

# The default HTTP method used to sign out a resource. Default is :delete.
config.sign_out_via = :get

paste this in the layout: <%= csrf_meta_tags %>