Log out users with empty session activity time when session lifetime is enabled.

app/controllers/application_controller.rb

@@ -616,10 +616,8 @@ class ApplicationController < ActionController::Base
   ActiveSupport.run_load_hooks(:application_controller, self)
 
   def check_session_lifetime
-    session_ttl_value = Setting.session_ttl.to_i
-
-    if Setting.session_ttl_enabled? && session_ttl_value >= 5
-      if session[:updated_at] && User.current.logged? && ((session[:updated_at] + (session_ttl_value * 60)) < Time.now)
+    if Setting.session_ttl_enabled? && Setting.session_ttl.to_i >= 5
+      if session[:updated_at].nil? || session_expired?
         self.logged_user = nil
         if request.get?
           url = url_for(params)
@@ -637,6 +635,10 @@ class ApplicationController < ActionController::Base
 
   private
 
+  def session_expired?
+    session[:updated_at] && User.current.logged? && ((session[:updated_at] + (Setting.session_ttl.to_i * 60)) < Time.now)
+  end
+
   def permitted_params
     @permitted_params ||= PermittedParams.new(params, current_user)
   end

spec/controllers/users_controller_spec.rb

@@ -241,6 +241,14 @@ describe UsersController do
         end
       end
 
+      shared_examples_for 'index action with enabled session lifetime and inactivity exceeded' do
+        it "logs out the user and redirects with a warning that he has been locked out" do
+          response.redirect_url.should == (signin_url + "?back_url=" + CGI::escape(@controller.url_for(:controller => "users", :action => "index")))
+          User.current.should_not == admin
+          flash[:warning].should == I18n.t(:notice_forced_logout, :ttl_time => Setting.session_ttl)
+        end
+      end
+
       context "disabled" do
         before do
           Setting.stub!(:session_ttl_enabled?).and_return(false)
@@ -272,11 +280,16 @@ describe UsersController do
             session[:updated_at] = Time.now - 3.hours
             get :index
           end
-          it "logs out the user and redirects with a warning that he has been locked out" do
-            response.redirect_url.should == (signin_url + "?back_url=" + CGI::escape(@controller.url_for(:controller => "users", :action => "index")))
-            User.current.should_not == admin
-            flash[:warning].should == I18n.t(:notice_forced_logout, :ttl_time => Setting.session_ttl)
+          it_should_behave_like 'index action with enabled session lifetime and inactivity exceeded'
+        end
+
+        context "without last activity time in the session" do
+          before do
+            Setting.stub!(:session_ttl).and_return("60")
+            session[:updated_at] = nil
+            get :index
           end
+          it_should_behave_like 'index action with enabled session lifetime and inactivity exceeded'
         end
 
         context "with ttl = 0" do