I'm getting ready to put an app into production and I've found a strange issue that, as far as I know, shouldn't be happening. To me this looks like it could be a bug, but I'm not sure and I'm hoping some one here can tell me if they've seen this before, or can idiot- check me in that hopefully it's just something I've missed along the way.
I need the application to automatically shut down an active session after 15 minutes of inactivity. My understanding is that this is accomplished, in 2.3.5, with ActionController::Base.session_options [:expire_after].
In the code snippet below (currently in config/initializers/ session_store.rb), I'm forcing this behavior if RAILS_ENV isn't development (because in development I don't want this going on - it's annoying to have to relog after making UI/CSS/markup changes every time!)
# Force sessions to expire after 15 minutes if(RAILS_ENV != 'development') ActionController::Base.session_options[:expire_after] = 15.minutes end
This causes a problem: when attempting to login via any browser or any machine, the application responds as it should, but claims that the authenticity token was invalid, presenting the 422 error message in production:
"The change you wanted was rejected.
Maybe you tried to change something you didn't have access to."
Disabling (commenting) the :expire_after line solves this problem.
Has anyone else seen this behavior? Have I overlooked something? Thanks for your help.