Rails has “tamper-proof” session cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. Just make sure you have a long secret. If you want to periodically reset all user sessions change your secret.
To answer your question, if you want to add an extra time-out to the session data you could do:
session[:user_id] = user.id
session[:expires_at] = Time.current + 24.hours
Then, when authenticating users, do:
if session[:expires_at] < Time.current
# sign out user
end
Hope that helps.