I’m getting ready to put an app into production and I’ve found a
strange issue that, as far as I know, shouldn’t be happening. To me
this looks like it could be a bug, but I’m not sure and I’m hoping
some one here can tell me if they’ve seen this before, or can idiot-
check me in that hopefully it’s just something I’ve missed along the
way.

I need the application to automatically shut down an active session
after 15 minutes of inactivity. My understanding is that this is
accomplished, in 2.3.5, with ActionController::Base.session_options
[:expire_after].

In the code snippet below (currently in config/initializers/
session_store.rb), I’m forcing this behavior if RAILS_ENV isn’t
development (because in development I don’t want this going on - it’s
annoying to have to relog after making UI/CSS/markup changes every
time!)

Force sessions to expire after 15 minutes

if(RAILS_ENV != ‘development’)
ActionController::Base.session_options[:expire_after] = 15.minutes
end

This causes a problem: when attempting to login via any browser or any
machine, the application responds as it should, but claims that the
authenticity token was invalid, presenting the 422 error message in
production:

"The change you wanted was rejected.

Maybe you tried to change something you didn’t have access to."

Disabling (commenting) the :expire_after line solves this problem.

Has anyone else seen this behavior? Have I overlooked something?
Thanks for your help.