redirect_to :back sends you back to the page that issued the request. The page that issued the POST to the create action is your login page, so it just redisplays that. This is how it is supposed to work, although it is perhaps not the most intuitive
To get the effect you want you can create something like this in your application controller (this is from the Authlogic Example App):
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
return @current_user if defined?(@current_user)
@current_user = current_user_session && current_user_session.record
flash[:notice] = "You must be logged in to access this page"
flash[:notice] = "You must be logged out to access this page"
session[:return_to] = request.request_uri
redirect_to(session[:return_to] || default)
session[:return_to] = nil
Then you use redirect_back_or_default instead of redirect_to :back. The before_filters require_user and require_no_user stores the location you want to redirect back to.