app/controllers/devise/passwords_controller.rb in devise-3.5.1 vs app/controllers/devise/passwords_controller.rb in devise-3.5.2

@@ -36,22 +36,21 @@
       resource.unlock_access! if unlockable?(resource)
       if Devise.sign_in_after_reset_password
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message(:notice, flash_message) if is_flashing_format?
         sign_in(resource_name, resource)
-        respond_with resource, location: after_resetting_password_path_for(resource)
       else
         set_flash_message(:notice, :updated_not_active) if is_flashing_format?
-        respond_with resource, location: new_session_path(resource_name)
       end
+      respond_with resource, location: after_resetting_password_path_for(resource)
     else
       respond_with resource
     end
   end
 
   protected
     def after_resetting_password_path_for(resource)
-      after_sign_in_path_for(resource)
+      Devise.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions
     def after_sending_reset_password_instructions_path_for(resource_name)
       new_session_path(resource_name) if is_navigational_format?