budget/app/controllers/sessions_controller.rb

class SessionsController < ApplicationController
  require_unregistered_user only: %i[new create]
  # GET /sessions/new
  def new
    @session = Session.new
  end

  # POST /sessions or /sessions.json
  def create
    @session = Session.new(session_params)

    respond_to do |format|
      if @session.save
        session[:current_user_id] = @session.user_id

        format.html { redirect_to root_url, notice: "Session was successfully created." }
        format.json { render :show, status: :created, location: @session }
      else
        format.html { render :new, status: :unprocessable_entity, alert: @session.errors }
        format.json { render json: @session.errors, status: :unprocessable_entity }
      end
    end
  end

  # DELETE /sessions/1 or /sessions/1.json
  def destroy
    session[:current_user_id] = nil

    respond_to do |format|
      format.html { redirect_to new_session_url, notice: "Session was successfully destroyed." }
      format.json { head :no_content }
    end
  end

  private
    # Only allow a list of trusted parameters through.
    def session_params
      params.require(:session).permit(:email, :password)
    end
end