Is there any way to set individual session timeouts using cookie_store in Rails 7 + Devise, or do I have to use a active_record_store approach?

  Kiến thức lập trình

I’m using Devise with Rails 7.1.3. I’m trying to implement a user configurable timeout value for session expiration, so for example Alice could set her expiration time to 12 hours and Bob could set his expiration time to 30 minutes, before they’d each have to log in again to access the site.

After cobbling together suggestions from all over the internet and ChatGPT, I don’t think this actually is possible using cookie_store, but I wanted to ask SO in case anyone has pulled it off before I jump into doing a full refactor using the active_record_store approach. My session objects don’t have much other utility, so it’s a bit of overkill just for this feature. Either way the answer will maybe help others attempting to do something similar.

Here’s my current attempt:

# app/config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, key: '_appname_session', expire_after: 12.hours

In my SessionsController (override of Devise::SessionsController), so essentially this is called on every user login:

  after_action :set_session_expiry, only: [:create, :new]

  def set_session_expiry
    if member_signed_in?
      timeout = current_member.member_setting.session_timeout || 12.hours
      request.session_options[:expire_after] = timeout.seconds
    end
  end

The application wide setting from the initializer certainly works. While the member override appears correct in debug output values, it does not change the cookie when I watch in the browser’s debug views.

What am I missing or is this just not possible?

LEAVE A COMMENT