Session not destroyed when closing browser - RailsTutorial.org

Question

In working through Michael Hartl's railstutorial.org, I'm in Chapter 8 (specifically 8.2.3). The current problem is implementing a session to keep the user logged in across multiple views, but the functionality implemented in this section is supposed to be a temporary session that expires (logs the user out) when the browser window is closed. Here is the statement from the textbook indicating such:

If you quit your browser completely, you should also be able to verify that the application forgets your login status, requiring you to log in again to see the changes described above.

I've tested this functionality on both Google Chrome and Firefox -- I log in successfully, navigate to multiple pages (to make sure my session persists beyond the log_in redirect) and then close the browser -- but when I reload the web app, I'm still logged in. I've copied all the code exactly as its written in the text, but to no avail. For reference, here's my sessions_helper.rb file:

module SessionsHelper

  # Logs in the given user.
  def log_in(user)
    session[:user_id] = user.id
  end

  # Returns the current logged-in user (if any).
  def current_user
    @current_user ||= User.find_by(id: session[:user_id])
  end

  # Returns true if the user is logged in, false otherwise.
  def logged_in?
    !current_user.nil?
  end

end

And here is my sessions_controller.rb file (the destroy action has not been implemented yet, since I haven't gotten to the point in the text of giving the Logout button any functionality):

class SessionsController < ApplicationController

  def new
  end

  def create
    user = User.find_by(email: params[:session][:email].downcase)
    if user && user.authenticate(params[:session][:password])
      # Log the user in and redirect to the user's show page.
      log_in user
      redirect_to user
    else
      flash.now[:danger] = 'Invalid email/password combination' 
      render 'new'
    end
  end

  def destroy
  end

end

Note: In your answer(s), please do not suggest adding alternate code or changing existing code (unless you see a mistake with the code I've posted). The textbook assumes this is working code and doesn't need any alteration for it to properly function.

Answer 1

Please, check your config/initializers/session_store.rb file. There should be something like

Rails.application.config.session_store :cookie_store, key: '_app_session'

You have to add expire_after key with nil value to the options:

Rails.application.config.session_store :cookie_store, key: '_app_session', expire_after: nil

After applying this change, the session will expire when user closes the browser. You can read more about cookies expiration here

Answer 2

I know I'm chiming in a good seven months late, but I had this same question, and after a little extra googling, discovered it was answered two years ago here.

The problem is a browser setting, one I imagine most everyone uses these days: "When Firefox starts, show my windows and tabs from last time" or "On startup, continue where you left off." This issue is now mentioned as a footnote in the tutorial (Chapter 8, Note 1), but the best the author has to say about it is

...of course Rails has no control over this behavior.