Config to expire session only after some time of inactivity

[derosm2]

I didn't see a way to do this right now but found a workaround someone had developed.

Basically they set the cookie_expiration to a short period of time, then call sign_in on any controller action. This way the user will only be logged out if they stop using the site.

This worked well for us, but it has one downside - every time a request is made, the existing CSRF token becomes invalid because rotate_csrf_on_sign_in is set to true. One example being if you have a download link on a page with a form, clicking the download will change the CSRF token and the user will not be able to submit the form.

Is it possible to update cookie_expiration manually instead of having to go through sign_in? Thanks!