Sessions: log user out on browser close, & after time #20
Description
Right now, if a user doesn't click "sign out", the session stays forever. The session should be destroyed when the browser closes (or even when you close the tab? I need to look into if that's even a thing). The session should also be destroyed after some long amount of time. Optionally, give the user an option of being logged-in forever (but maybe not, to keep things simple?).
Also: we should learn more about cookies. I don't want our site to leave unwanted cookies lying around or anything. https://www.eff.org/2011/october/facebook%E2%80%99s-hotel-california-cross-site-tracking-and-potential-impact-digital-privacy
Another thing to think about: should we try to implement another login system (through a gem like authlogic, clearance, or other: http://www.quora.com/Ruby-on-Rails/How-should-I-choose-an-authentication-gem )? Should we allow logins from other accounts (google, twitter, facebook), and/or openID? I am hesitant to allow facebook logins for ideological reasons. This is getting outside of the scope of this issue. =(