Logging users out of a Django site after N minutes of inactivity

Question

I'm working on a website that requires us to log a user out after N minutes of inactivity. Are there any best practices for this using Django?

Answer 1

Take a look at the session middleware and its settings. Specifically these two:

SESSION_COOKIE_AGE

Default: 1209600 (2 weeks, in seconds)

The age of session cookies, in seconds.

SESSION_SAVE_EVERY_REQUEST

Default: False

Whether to save the session data on every request. If this is False (default), then the session data will only be saved if it has been modified -- that is, if any of its dictionary values have been assigned or deleted.

Setting a low SESSION_COOKIE_AGE and turning SESSION_SAVE_EVERY_REQUEST on should work to create "sliding" expiration.

Answer 2

Setting the session cookie age in the django session middleware just sets the expiry time in the set-cookie header passed back to the browser. It's only browser compliance with the expiry time that enforces the "log out".

Depending on your reasons for needing the idle log-out, you might not consider browser compliance with the expiry time good enough. In which case you'll need to extend the session middleware to do so.

For example you might store an expiry time in your session engine which you update with requests. Depending on the nature of traffic to your site, you may wish to only write back to the session object once in X seconds to avoid excessive db writes.