Coerce time objects serialized as Strings before doing the timeoutable comparisons.

The comparison only fails on Ruby 1.9.3, when we need to parse it properly back
to a Time instance.

Related to #2930.

lib/devise/hooks/timeoutable.rb

@@ -12,6 +12,8 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     if last_request_at.is_a? Integer
       last_request_at = Time.at(last_request_at).utc
+    elsif last_request_at.is_a? String
+      last_request_at = Time.parse(last_request_at)
     end
 
     proxy = Devise::Hooks::Proxy.new(warden)

test/integration/timeoutable_test.rb

@@ -179,4 +179,11 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
   end
+
+  test 'does not crashes when the last_request_at is a String' do
+    user = sign_in_as_user
+
+    get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)
+    get users_path
+  end
 end

test/rails_app/app/controllers/users_controller.rb

@@ -9,7 +9,7 @@ class UsersController < ApplicationController
   end
 
   def edit_form
-    user_session['last_request_at'] = 31.minutes.ago.utc
+    user_session['last_request_at'] = params.fetch(:last_request_at, 31.minutes.ago.utc)
   end
 
   def update_form