Devise Remember Me and Sessions
The timeout_in
will automatically log you out within 10 minutes of inactivity and is incompatible with the remember_me
checkbox. You can have one, but not both.
The information in previous answers is outdated. I've tested my project, which uses Rails 4
and Devise 3.5.1
and also checked devise code to be sure.
Now it looks whether Remember Me
checkbox was checked:
if
yes
, it checksif remember_exists_and_not_expired
, so basically usesconfig.remember_for
for session managementif
no
, it checksif last_access <= timeout_in.ago
, usingconfig.timeout_in
correspondingly
Ryan is correct in that the default Devise gem does not support both the :rememberable and :timeoutable options. However, like all things Ruby, if you don't like the decision that some other coder has made, especially when it strays from the norm that most users are likely to expect, then you can simply override it.
Thanks to a (rejected) pull request we can override this behaviour by adding the following code to the top of your Devise config file (/config/initializers/devise.rb):
module Devise
module Models
module Timeoutable
# Checks whether the user session has expired based on configured time.
def timedout?(last_access)
return false if remember_exists_and_not_expired?
last_access && last_access <= self.class.timeout_in.ago
end
private
def remember_exists_and_not_expired?
return false unless respond_to?(:remember_expired?)
remember_created_at && !remember_expired?
end
end
end
end
This will now allow you to configure both options and have them work as you would expect.
config.remember_for = 2.weeks
config.timeout_in = 30.minutes