Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to expire session due to inactivity in Django?

Tags:

python

cookies

django

session

Our Django application has the following session management requirements.

  1. Sessions expire when the user closes the browser.
  2. Sessions expire after a period of inactivity.
  3. Detect when a session expires due to inactivity and display appropriate message to the user.
  4. Warn users of a impending session expiry a few minutes before the end of the inactivity period. Along with the warning, provide users an option to extend their session.
  5. If user is working on a long business activity within the app that doesn't involve requests being sent to the server, the session must not timeout.

After reading the documentation, Django code and some blog posts related to this, I have come up with the following implementation approach.

Requirement 1
This requirement is easily implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.

Requirement 2
I have seen a few recommendations to use SESSION_COOKIE_AGE to set the session expiry period. But this method has the following problems.

  • The session always expires at the end of the SESSION_COOKIE_AGE even if the user is actively using the application. (This can be prevented by setting the session expiry to SESSION_COOKIE_AGE on every request using a custom middleware or by saving the session on every request by setting SESSION_SAVE_EVERY_REQUEST to true. But the next problem is unavoidable due to the use of SESSION_COOKIE_AGE.)

  • Due to the way cookies work, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are mutually exclusive i.e. the cookie either expires on browser close or at the specified expiry time. If SESSION_COOKIE_AGE is used and the user closes the browser before the cookie expires, the cookie is retained and reopening the browser will allow the user (or anyone else) into the system without being re-authenticated.

  • Django relies only on the cookie being present to determine if the session is active. It doesn't check the session expiry date stored with the session.

The following method could be used to implemented this requirement and to workaround the problems mentioned above.

  • Do not set SESSION_COOKIE_AGE.
  • Set the expiry date of the session to be 'current time + inactivity period' on every request.
  • Override process_request in SessionMiddleware and check for session expiry. Discard the session if it has expired.

Requirement 3
When we detect that the session has expired (in the custom SessionMiddleware above), set an attribute on the request to indicate session expiry. This attribute can be used to display an appropriate message to the user.

Requirement 4
Use JavaScript to detect user inactivity, provide the warning and also an option to extend the session. If the user wishes to extend, send a keep alive pulse to the server to extend the session.

Requirement 5
Use JavaScript to detect user activity (during the long business operation) and send keep alive pulses to the server to prevent session from expiring.

The above implementation approach seem very elaborate and I was wondering if there might a simpler method (especially for Requirement 2).

Any insights will be highly appreciated.

like image 359
Akbar ibrahim Avatar asked Jun 11 '10 15:06

Akbar ibrahim

People also ask

What is default session timeout in Django?

The setting you are looking for is SESSION_COOKIE_AGE , the default value is 1209600 which is two weeks, in seconds.

How does a session expire?

If your Internet connection is unstable, periodically disconnecting and reconnecting, it can cause a website session to expire. When the Internet connection is lost the website connection can be terminated, resulting in a session expired message if you try to access any page after the Internet reconnects.

How does Django maintain session?

Django provides a session framework that lets you store and retrieve data on a per-site-visitor basis. Django abstracts the process of sending and receiving cookies, by placing a session ID cookie on the client side, and storing all the related data on the server side. So the data itself is not stored client side.

1 Answers

I am just pretty new to use Django.

I wanted to make session expire if logged user close browser or are in idle(inactivity timeout) for some amount of time. When I googled it to figure out, this SOF question came up first. Thanks to nice answer, I looked up resources to understand how middlewares works during request/response cycle in Django. It was very helpful.

I was about to apply custom middleware into my code following top answer in here. But I was still little bit suspicious because best answer in here was edited in 2011. I took more time to search little bit from recent search result and came up with simple way.

SESSION_EXPIRE_AT_BROWSER_CLOSE = True SESSION_COOKIE_AGE = 10 # set just 10 seconds to test SESSION_SAVE_EVERY_REQUEST = True

I didn't check other browsers but chrome.

  1. A session expired when I closed a browser even if SESSION_COOKIE_AGE set.
  2. Only when I was idle for more than 10 seconds, A session expired. Thanks to SESSION_SAVE_EVERY_REQUEST, whenever you occur new request, It saves the session and updates timeout to expire

To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. When set to True, Django will save the session to the database on every single request.

Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.

Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

django manual 1.10

I just leave answer so that some people who is a kind of new in Django like me don't spend much time to find out solution as a way I did.

like image 78
Jayground Avatar answered Sep 23 '22 07:09

Jayground
Sign in to Comment

Related questions

ValueError: unsupported pickle protocol: 3, python2 pickle can not load the file dumped by python 3 pickle?
How do I get interactive plots again in Spyder/IPython/matplotlib?
Method Resolution Order (MRO) in new-style classes?
ImportError: No module named pandas
"ImportError: No module named site" on Windows
Scope of lambda functions and their parameters?
Default filter in Django admin
Change figure window title in pylab
How can I check if a date is the same day as datetime.today()?
Python Timezone conversion
Pycharm and sys.argv arguments
What is the most pythonic way to check if multiple variables are not None?
AssertionError: View function mapping is overwriting an existing endpoint function: main
Positional argument v.s. keyword argument
NaN loss when training regression network
Pythonic way to combine two lists in an alternating fashion?
Differences between STATICFILES_DIR, STATIC_ROOT and MEDIA_ROOT
How to obfuscate Python code effectively?
How to plot ROC curve in Python
When should I use @classmethod and when def method(self)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!