Rails 4: Session Expiry?

add this to your application controller:

before_filter :session_expires, :except => [:login, :logout]
before_filter :update_session_time, :except => [:login, :logout]

def session_expires
  @time_left = (session[:expires_at] - Time.now).to_i 
  unless @time_left > 0
    reset_session
    flash[:error] = 'Lorem Ipsum.'
    redirect_to :controller => 'foo', :action => 'bar'
  end
end

def update_session_time
  session[:expires_at] = 60.minutes.from_now
end

Actually rails inherits from Rack::Session::Cookie. So you can configure expire_after parameter in your session_store.rb.

Sqore::Application.config.session_store(
  :cookie_store,
  key: '_name_session',
  expire_after: 24.hours
)

Rails has "tamper-proof" session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.

To answer your question, if you want to add an extra time-out to the session data you could do:

session[:user_id] = user.id
session[:expires_at] = Time.current + 24.hours

Then, when authenticating users, do:

if session[:expires_at] < Time.current
  # sign out user
end

Hope that helps.