As with the other authentication elements, we’ll put sign_out in the Sessions helper module. The implementation is simple: We set the current user to nil and use the delete method on cookies to remove the remember token from the session (Listing 8.30). (Setting the current user to nil isn’t currently necessary because of the immediate redirect in the destroy action, but it’s a good idea in case we ever want to use sign_out without a redirect.)

This completes the signup/signin/signout triumvirate, and the test suite should pass:

It’s worth noting that our test suite covers most of the authentication machinery, but not all of it. For instance, we don’t test how long the ‘‘remember me’’ cookie lasts or whether it gets set at all. It is possible to do so, but experience shows that direct tests of cookie values are brittle and have a tendency to rely on implementation details that sometimes change from one Rails release to the next. The result is breaking tests for application code that still works fine. By focusing on high-level functionality—verifying that users can sign in, stay signed in from page to page, and can sign out—we test the core application code without focusing on less important details.