how to make sure that session never expires

That's because Rails by default sets no expiration date in the session cookie. Just assign some date far in the future:

   # untested    config.action_controller.session :session_expires => 10.years.from_now

-- fxn

Session expiration for me means session cookie expiration, in the sense that's what happens from the user's view. A user maintains his session as long as he has a cookie for your application. When the browser deletes the cookie the session is gone.

Cleanup of expired sessions in the database or whatever storage you use is a different issue in my view, and Rails has no automatic mechanism to take care of them. A cron task that cleans up the session storage is the canonical solution, for instance something like:

   # untested, 10 years was the expiration window in the config example    script/runner 'Session.delete_all("created_at < ?", 10.years.ago)'

-- fxn

It's a server-side expiry time, but Session in Rails uses cookie to identify the server-side data. So it depends on the cookie too.

But if your web application has sensitive data, and is accessible over the Internet, it's not a good practice to keep login sessions forever!!!

HTH - H