DMPRoadmap · momo3404 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## v5.0.2
 - Bump Ruby to v3.1.4 and use `.ruby-version` in CI [#3566](https://github.com/DMPRoadmap/roadmap/pull/3566)
+- Enable session timeout after 90 minutes of inactivity [#3568](https://github.com/DMPRoadmap/roadmap/pull/3568)
 
 ## v5.0.1
 - Updated seeds.rb file for identifier_schemes to include context value and removed logo_url and idenitifier_prefix for Shibboleth (as it was causing issues with SSO). [#3525](https://github.com/DMPRoadmap/roadmap/pull/3525)

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -63,9 +63,9 @@ class User < ApplicationRecord
   # Devise
   #   Include default devise modules. Others available are:
   #   :token_authenticatable, :confirmable,
-  #   :lockable, :timeoutable and :omniauthable
+  #   :lockable and :omniauthable
   devise :invitable, :database_authenticatable, :registerable, :recoverable,
-         :rememberable, :trackable, :validatable, :omniauthable,
+         :rememberable, :trackable, :validatable, :omniauthable, :timeoutable,
          omniauth_providers: %i[shibboleth orcid]
 
   # default user language to the default language

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -172,7 +172,7 @@
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  config.timeout_in = 3.hours
+  config.timeout_in = 90.minutes
 
   # If true, expires auth token on session timeout.
   # config.expire_auth_token_on_timeout = false