remember me, password reset

app/controllers/application_controller.rb

@@ -4,6 +4,10 @@ class ApplicationController < ActionController::Base
   # Changes to the importmap will invalidate the etag for HTML responses
   stale_when_importmap_changes
 
+  SESSION_TIMEOUT = 3.days
+
+  before_action :check_session_timeout
+
   helper_method :supported_languages, :current_user, :logged_in?, :admin?, :reviewer_or_admin?,
                 :contributor_or_above?, :setup_completed?
 
@@ -14,7 +18,40 @@ class ApplicationController < ActionController::Base
   end
 
   def current_user
-    @current_user ||= User.find_by(id: session[:user_id]) if session[:user_id]
+    return @current_user if defined?(@current_user)
+
+    # First check session
+    if session[:user_id]
+      @current_user = User.find_by(id: session[:user_id])
+    # Then check remember me cookie
+    elsif cookies.signed[:remember_token]
+      user = User.find_by_valid_remember_token(cookies.signed[:remember_token])
+      if user
+        session[:user_id] = user.id
+        @current_user = user
+      else
+        # Invalid or expired remember token, clear it
+        cookies.delete(:remember_token)
+      end
+    end
+
+    @current_user
+  end
+
+  def check_session_timeout
+    return unless logged_in?
+    return if cookies.signed[:remember_token].present?
+
+    if session[:last_activity_at].present?
+      last_activity = Time.parse(session[:last_activity_at])
+      if last_activity < SESSION_TIMEOUT.ago
+        reset_session
+        redirect_to login_path, alert: "Your session has expired. Please sign in again."
+        return
+      end
+    end
+
+    session[:last_activity_at] = Time.current.to_s
   end
 
   def logged_in?