Rails.application.config.session_store :cookie_store, key: '_your_session', secure: false, domain: :all
secure is set to true when https enabled. 

class LoginController < ActionController::Base
  # https://stackoverflow.com/questions/38331496/rails-5-actioncontrollerinvalidauthenticitytoken-error
  protect_from_forgery prepend: true

  def show
    @student = Student.new
  end

  def login
    @student = Student.find_by_username(params.require(:student)[:username])

    if @student.nil?
      flash[:error] = '用户不存在！'
      redirect_to login_path
    else
      if @student.password == params.require(:student)[:password]
        login_success_process
      else
        flash[:error] = '密码错误！'
        flash[:username] = params.require(:student)[:username]

        redirect_to login_path
      end
    end
  end

  def logout
    clear_session

    flash[:notice] = 'Logout successfully!'
    redirect_to login_path
  end

  private

  def login_success_process
    set_login_session

    flash[:notice] = 'Login successfully!'
    redirect_to root_path
  end

  def set_login_session
    session[:id] = @student.id
    session[:username] = @student.username
    session[:name] = @student.name
  end

  def clear_session
    [:id, :username, :name].each do |key|
      session[key] = nil
    end
  end
end