Rails doesn’t do anything about expired sessions by default. Here is how I take care of that in the case of ActiveRecord based sessions.
I have a file called
my_app/lib folder containing the call to delete old sessions:
ActiveRecord::SessionStore::Session.delete_all(["updated_at < ?", 12.hours.ago])
I also have an entry in the crontab which executes this script at 4am every day:
0 4 * * * cd /data/my_app/current && RAILS_ENV=production ./script/runner lib/delete_expired_sessions.rb
The only other thing is to make sure that you regularly write something into active sessions so they don’t go stale and get deleted. And that’s it.
Works on: Rails 2.3.5