Clarification about session_timeout.

[tv-enermarket]

Configuration

• Sorcery Version: sorcery 0.15.0
• Ruby Version: ruby 2.7.2
• Framework: Rails 6.0.3.4
• Platform: ubuntu 18 LTS

Expected Behavior

When i use the session_timeout module i expect it to reset the session only for users who are logged in.

Actual Behavior

All sessions are being reset weather the user is logged in or not.

I took a look at the code in session_timeout.rb

if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
reset_sorcery_session
  remove_instance_variable :@current_user if defined? @current_user
else
  session[:last_action_time] = Time.now.in_time_zone
end

I would expect something like
if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) && user.present?

What am i missing? Is my understanding of the session_timeout wrong? Can someone clarify the behaviour for me?
Thanks in advance!

[joshbuker]

If I understand the question correctly, you have sessions for users that are not logged in which are being invalidated by the session timeout module after your session timeout threshold, but you want it to only target users that are logged in?

I'm a little confused on the use-case for this, is there some reason that you have sessions for logged out users that need to be persisted longer than your logged in timeout threshold?

[joshbuker]

Considering how the rest of the code is structured, I feel like it resetting the rails session whenever it's been more than the Sorcery session_timeout length between actions, but while logged out, is unintended.

I'll double check this functionality again in v1, and either change it to reflect that, or document the reasons for timing out logged out sessions.