Refinery CMS is using Devise as authentication provider. Devise supports session timeout, but Refinery CMS does not enable it by default. Anyway, it is always good to set a session timeout for logged in users to improve security. There are thousands of blogs teaching you how to set session timeout for Devise, but I was not able to find enough information on how to set session timeout in Refinery CMS. Thus, this article provides a workable way (but might not be the best way) to configure session timeout in Refinery CMS 3.0.
In Refinery CMS 3.0, all the authentication functionalities are moved to refinery-cms-authentication-devise gem. First, let's take a look at the source code of
app/models/refinery/authentication/devise/user.rb from refinery-cms-authentication-devise repository in Github. We can find the following line to define devise modules in
if self.respond_to?(:devise) devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, authentication_keys: [:login] end
Our goal is to add devise timeoutable module here. It can be easily achieved by using a decorator. First, create the file at
app/decorators/models/refinery/authentication/devise/user_decorator.rb. Put the following code to alter user class so that it includes devise timeoutable module:
Refinery::Authentication::Devise::User.class_eval do if self.respond_to?(:devise) devise :database_authenticatable, :registerable, :recoverable, :timeoutable, :trackable, :validatable, authentication_keys: [:login] end end
After that, add timeout setting into devise initializer. The initializer locates at config/nitializers/refinery/authentication/devise.rb, and you need to create it if it does not exist. The sample configuration to set session timeout after 10 minutes is shown below:
Devise.setup do |config| config.timeout_in = 10.minutes end
Finally, restart rails server, and the session timeout configuration will take effect.