ruby script/plugin install http://svn.iprog.com/projects/rails/plugins/limited_sessions

There are several options that can be configured. They should be placed at the end of config/environment.rb (or the individual environment.rb files if that's preferred).

CGI::Session::ActiveRecordStore::Session.recent_activity_limit = 2.hours

This will expire sessions after the given period of time. This is managed on the server side and if the user closes their browser, the session will be gone. Default is 2 hours.

CGI::Session::ActiveRecordStore::Session.hard_session_limit = 24.hours

Sessions can also be forcefully expired without regard to the last activity. So if this is set to 24 hours and the above is two hours, the session will be terminated if a) the user has been inactive for more than two hours OR b) it has been more than 24 hours since the session began. Default is disabled (nil). Requires a `created_at` column in the session table.

CGI::Session::ActiveRecordStore::Session.auto_clean_sessions = 1000

Does a random test to see if the app should delete all expired sessions now. The odds are 1 in whatever value is provided here. 0 will disable this option. Default is 1000. A busy site may want 10000 or higher.

ActionController::CgiRequest.ip_restriction = :subnet

If set to :subnet, will compare the first three quads of the IPv4 address for a match. If set to :exact, will compare the full IP address (which should also work for IPv6). If no match, the session will be reset.Default is :none. Stores the IP match data in the session store as session[:ip].

There is currently no advanced documentation for this plugin.