Our Django application has the following session management requirements.
After reading the documentation, Django code and some blog posts related to this, I have come up with the following implementation approach.
This requirement is easily implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
I have seen a few recommendations to use SESSION_COOKIE_AGE to set the session expiry period. But this method has the following problems.
The session always expires at the end of the SESSION_COOKIE_AGE even if the user is actively using the application. (This can be prevented by setting the session expiry to SESSION_COOKIE_AGE on every request using a custom middleware or by saving the session on every request by setting SESSION_SAVE_EVERY_REQUEST to true. But the next problem is unavoidable due to the use of SESSION_COOKIE_AGE.)
Due to the way cookies work, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are mutually exclusive i.e. the cookie either expires on browser close or at the specified expiry time. If SESSION_COOKIE_AGE is used and the user closes the browser before the cookie expires, the cookie is retained and reopening the browser will allow the user (or anyone else) into the system without being re-authenticated.
Django relies only on the cookie being present to determine if the session is active. It doesn't check the session expiry date stored with the session.
The following method could be used to implemented this requirement and to workaround the problems mentioned above.
When we detect that the session has expired (in the custom SessionMiddleware above), set an attribute on the request to indicate session expiry. This attribute can be used to display an appropriate message to the user.
The above implementation approach seem very elaborate and I was wondering if there might a simpler method (especially for Requirement 2).
Any insights will be highly appreciated.
Here's an idea... Expire the session on browser close with the
SESSION_EXPIRE_AT_BROWSER_CLOSE setting. Then set a timestamp in the session on every request like so.
request.session['last_activity'] = datetime.now()
and add a middleware to detect if the session is expired. something like this should handle the whole process...
from datetime import datetime from django.http import HttpResponseRedirect class SessionExpiredMiddleware: def process_request(request): last_activity = request.session['last_activity'] now = datetime.now() if (now - last_activity).minutes > 10: # Do logout / expire session # and then... return HttpResponseRedirect("LOGIN_PAGE_URL") if not request.is_ajax(): # don't set this for ajax requests or else your # expired session checks will keep the session from # expiring :) request.session['last_activity'] = now
Then you just have to make some urls and views to return relevant data to the ajax calls regarding the session expiry.
when the user opts to "renew" the session, so to speak, all you have to do is set
requeset.session['last_activity'] to the current time again
Obviously this code is only a start... but it should get you on the right path