I am overriding Devise's failure response so that I can set a 401 status code. However, when the user fails to sign in, they are redirected to a page with a "you are being redirected" link. If I remove this :status => 401 from the redirect it works fine.

class CustomFailure < Devise::FailureApp
    def redirect_url
      new_user_session_url(:subdomain => 'secure')
    end

    def respond
        if http_auth?
           http_auth
        else
           store_location!
           flash[:alert] = i18n_message unless flash[:notice]
           redirect_to redirect_url, :status => 401
        end
    end
end

edit

Alternatively I would like to display the flash message and remain on the same page but adding this line of code:

render :text => "unauthorized", :status => 401

causes ruby to complain:

undefined method `render' for #<CustomFailure:0x00000103367f28>

What's happening here?

Proper HTTP statuses for a redirection are in the 30x form (301 and 302 being the most frequently used). By default, the redirect_to helper sets a 302 status header on the HTTP response. If you override that and set that to a 401, your web browser will assume that the response is a regular web page and will render the response body --which, in a redirection, is the boilerplate text "You are being redirected".

As said by @pantulis the browser will display this standard message if the response code is not a 3xx

To workaround this you can perform a javascript redirect:

# example with status 500:
render text: "<script>window.location = '#{url}';</script>", status: 500

This is off-course valid only if you are sure that all your users are using javascript. If your application can be browsed by users that may have disabled javascript you should also include a noscript tag and fallback in the standard "You are being redirected" message

I was actually running into this problem on our QA server, but not locally. It turned out that our memcache was intercepting the message and rendering it as a 200, and causing this message to appear. This was due indirectly to our memcache settings which didn't expect a re-direct from a GET.

From: 
$document_root/cache/$uri.html /cache/$uri /cache/$uri.html $uri @memcached

To:
$document_root/cache/$uri.html /cache/$uri /cache/$uri.html $uri @rails

When I have this problem what I have done in the past is something like this:

#app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  after_filter :check_page_content
  ...
  private
  def check_page_content
    if response.body.include? "You are being"
      html_doc = Nokogiri::HTML(response.body)
      uri = html_doc.css('a').map { |link| link['href'] }.first
      response.body = "<script>
                         window.location.replace('#{uri}');
                       </script>"
    end
  end
end

What I am doing is checking to see if the page content is "You are being". if this is true I know I am not where I want to be. and I just update the page to where I really want to be with some help of Javascript. I know its not the most elegant solution but it really does help

Happy Hacking