I also wondered whether Devise handled this issue and looked at the source. Devise doesn't address this issue. It relies on warden underneath and serializes the user into the session without any sort of expiry (https://github.com/plataformatec/devise/blob/master/lib/devi...). There are a lot of options for remediation, though, like overriding the aforementioned serialization hash to attach an expiry, or setting an expiry in a separate key in the session.

If you use Devise make sure to read this, too:

http://stackoverflow.com/questions/11281141/after-logout-if-...

(I was quite surprised a long while back :-)

This is interesting...still doesn't answer my question though :)

Sorry! I didn't mean to imply that it was answering your question.

I thought bringing that information was still fairly useful, potentially.