Description CookieStore doesn't expire sessions on the server side. So clients can keep sessions alive permanently, and the only way to expire them is to change :secret. I created a patch to add a new session option :lifetime. config.action_controller.session = { :session_key => '_my_app_session', :secret => '<secret key>', :lifetime => 1.day }