Environment

• Ruby 3.1.4
• Rails 6.1.5
• Devise 4.9.3

Current behavior

Devise config: both :timeoutable and :rememberable. Set timeout to 30 seconds: timeout_in: 30.seconds, and enable extend_remember_period

With extend_remember_period:

• Close your browser (or delete the session store cookie) within the config.remember_for period the remember_user_token cookie will be updated with a new expiration when you revisit the site, and you won't need to login.

• If you don't close your browser or remove the session cookie, but your session has timed out, the remember_user_token is not updated. If the config.remember_for period has elapsed you will need to login again.

Expected behavior

I would expect a session timeout to be treated the same as a cleared session. If a user is active within the remember_for period, they should not need to login again.

It seems that the session is only extended when Stratgies::Rememberable#authenticate gets called. This doesn't seem to be called when no session cookie is found - even if the user is "remembered" due to a valid remember_user_token cookie.