A Missing Manual on Refinery CMS Session Timeout Configuration
Refinery CMS is using Devise as authentication provider. Devise supports session timeout, but Refinery CMS does not enable it by default. Anyway, it is always good to set a session timeout for logged in users to improve security. There are thousands of blogs teaching you how to set session timeout for Devise, but I was not able to find enough information on how to set session timeout in Refinery CMS. Thus, this article provides a workable way (but might not be the best way) to configure session timeout in Refinery CMS 3.0.
In Refinery CMS 3.0, all the authentication functionalities are moved to refinery-cms-authentication-devise gem. First, let's take a look at the source code of app/models/refinery/authentication/devise/user.rb
from refinery-cms-authentication-devise repository in Github. We can find the following line to define devise modules in user.rb
:
if self.respond_to?(:devise)
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
:trackable, :validatable, authentication_keys: [:login]
end
Our goal is to add devise timeoutable module here. It can be easily achieved by using a decorator. First, create the file at app/decorators/models/refinery/authentication/devise/user_decorator.rb
. Put the following code to alter user class so that it includes devise timeoutable module:
Refinery::Authentication::Devise::User.class_eval do
if self.respond_to?(:devise)
devise :database_authenticatable, :registerable, :recoverable, :timeoutable,
:trackable, :validatable, authentication_keys: [:login]
end
end
After that, add timeout setting into devise initializer. The initializer locates at config/nitializers/refinery/authentication/devise.rb, and you need to create it if it does not exist. The sample configuration to set session timeout after 10 minutes is shown below:
Devise.setup do |config|
config.timeout_in = 10.minutes
end
Finally, restart rails server, and the session timeout configuration will take effect.