Refinery CMS is using Devise as authentication provider. Devise supports session timeout, but Refinery CMS does not enable it by default. Anyway, it is always good to set a session timeout for logged in users to improve security. There are thousands of blogs teaching you how to set session timeout for Devise, but I was not able to find enough information on how to set session timeout in Refinery CMS. Thus, this article provides a workable way (but might not be the best way) to configure session timeout in Refinery CMS 3.0.

In Refinery CMS 3.0, all the authentication functionalities are moved to refinery-cms-authentication-devise gem. First, let's take a look at the source code of app/models/refinery/authentication/devise/user.rb from refinery-cms-authentication-devise repository in Github. We can find the following line to define devise modules in user.rb:

if self.respond_to?(:devise)
  devise :database_authenticatable, :registerable, :recoverable, :rememberable,
         :trackable, :validatable, authentication_keys: [:login]
end

Our goal is to add devise timeoutable module here. It can be easily achieved by using a decorator. First, create the file at app/decorators/models/refinery/authentication/devise/user_decorator.rb. Put the following code to alter user class so that it includes devise timeoutable module:

Refinery::Authentication::Devise::User.class_eval do
  if self.respond_to?(:devise)
    devise :database_authenticatable, :registerable, :recoverable, :timeoutable,
           :trackable, :validatable, authentication_keys: [:login]
  end
end

After that, add timeout setting into devise initializer. The initializer locates at config/nitializers/refinery/authentication/devise.rb, and you need to create it if it does not exist. The sample configuration to set session timeout after 10 minutes is shown below:

Devise.setup do |config|
  config.timeout_in = 10.minutes
end

Finally, restart rails server, and the session timeout configuration will take effect.