Why would you need the session?
My interpretation of the feature is that you set as default the password of the last created user.
If that was the case, you are done passing params[:password] for that field no matter whether the creation of the user of that request is successful or not. If the creation is successful that's clear. If not and the user edited the password and email validation failed you do not want to set the default password back, you want to let him correct the email and still set the password he chose, so params[:password] makes sense there as well.