Issues with Devise Rememberable - No automatic logout on browser close

Question

So I am having trouble with the rememberable module for devise. I have all the setup implemented correctly: I added :rememberable to my user model, added the remember_created_at to the users table, and added the :remember_me checkbox on the login page.

I can confirm that if a user logs in without checking the remember me checkbox, that a cookie is created, the expiration is now, and the remember_created_at field is set to null. And if a user checks the checkbox a timestamp is saved in the remember_created_at field and the expiration date of the cookie is set to the default 2 weeks.

So the issues I am having:

1. If I don't check the remember me checkbox and login, close the browser, and then go back to the app I am still logged in. Isn't the idea if a user does not want to be remembered that when the browser is closed the session is destroyed? Or am I misunderstanding this?

2. For testing purposed I changed the :remember_for option to 1.minute. So I checked the remember me box before logging in and verified the cookie expiration date is correct and a timestamp was saved in remember_created_at. I then closed the browser and waited about 2 minutes. I then opened the browser again and I was still logged in. Am I missing something or am I just not understanding the rememberable module correctly?

Thanks.

Answer 1

So the problem was me not the devise gem. When I was testing I was closing a browser tab, not the entire browser.

Answer 2

I had the same issues with Devise Rememberable until I found out that Chrome doesn't expire the session cookies on "Browsing session end" after closing the browser when the option "On startup" - "Continue where I left off" is enabled in the Settings.