That's because Rails by default sets no expiration date in the session cookie. Just assign some date far in the future:
# untested config.action_controller.session :session_expires => 10.years.from_now
-- fxn
Session expiration for me means session cookie expiration, in the sense that's what happens from the user's view. A user maintains his session as long as he has a cookie for your application. When the browser deletes the cookie the session is gone.
Cleanup of expired sessions in the database or whatever storage you use is a different issue in my view, and Rails has no automatic mechanism to take care of them. A cron task that cleans up the session storage is the canonical solution, for instance something like:
# untested, 10 years was the expiration window in the config example script/runner 'Session.delete_all("created_at < ?", 10.years.ago)'
-- fxn
It's a server-side expiry time, but Session in Rails uses cookie to identify the server-side data. So it depends on the cookie too.
But if your web application has sensitive data, and is accessible over the Internet, it's not a good practice to keep login sessions forever!!!
HTH - H