Expire a Session after Closing the Browser OR after 30 Minutes in Rails?

Question

How can I expire a session in Rails after a user closes the browser OR after 30 minutes? Whichever comes first?

I have tried in session_store.rb setting expire_after: nil || 30.minutes but doesn't work.

Rails 3.2

Answer 1

Alright, so the issue was with caching. I had to restrict caching on the login page to avoid a lag displaying the home page as if the user was logged in.

In the application_controller.rb I set the following:

before_filter :set_cache_headers
def set_cache_headers
      expires_now
end

And in session_store.rb I set the session store to

expire_after: 30.minutes

Answer 2

You can configure the application's session information in the initializer file config/initializers/session_store.rb

YourApp::Application.config.session_store :cookie_store, 
  :key => '_my_session', 
  :expire_after => 30.minutes

If you are using then Devise has a timeoutable module that you can use.

In your User model you would include :timeoutable with your devise models and in the devise.rb initializer you would configure it comparable to:

  # ==> Configuration for :timeoutable
  # The time you want to timeout the user session without activity. After this
  # time the user will be asked for credentials again. Default is 30 minutes.
  config.timeout_in = 30.minutes

You have to add expire_after key with nil value to the options:

Rails.application.config.session_store :cookie_store, key: '_app_session', expire_after: nil

After applying this change, the session will expire when user closes the browser. You can read more about cookies expiration here