Advice on implementing a system to handle user's authentication expirations using Ruby on Rails

I am using Ruby on Rails 3 and I would like to handle user auhtentications expiring after 15 minutes of inactivity. I read the "Ruby On Rails Security Guide" that recommends, for safety reasons, to don't keep the authentication in the session because its values can be changed on the client side. So I decided to create a Model just to do that.

For the database I created a table that have these columns: "last_sign_in", "last_sign_out" and timestamps "created_at" and "updated_at". Each user have a dedicated row to store his/her authentication information.

My questions/doubts are:

1. Referring the performance of the system, is this approach still recommended when the database will contain a lot (thousands and thousands) of users? If no, what is the best approach to handle authentication expiration?

2. In my case, how to implement the code taking care of performance? That is, how to handle authentication expiration interacting as little as possible with the database and caching requests?

3. Adding the column "last_action" to the database table, in order to have the time information of the last action made by users, how开发者_JAVA技巧 much is advisable?

You can use devise gem for authentication which have module named Rememberable that do cookies store and retrive for you.

Rememberable manages generating and clearing token for remember the user from a saved cookie. Rememberable also has utility methods for dealing with serializing the user into the cookie and back from the cookie, trying to lookup the record based on the saved information. You probably wouldn't use rememberable methods directly, they are used mostly internally for handling the remember token.