How to expire session due to inactivity in Django?

后端 未结 6 1605
一整个雨季
一整个雨季 2020-11-28 00:52

Our Django application has the following session management requirements.

  1. Sessions expire when the user closes the browser.
  2. Sessions expire after a pe
相关标签:
6条回答
  • 2020-11-28 01:17

    django-session-security does just that...

    ... with an additional requirement: if the server doesn't respond or an attacker disconnected the internet connection: it should expire anyway.

    Disclamer: I maintain this app. But I've been watching this thread for a very, very long time :)

    0 讨论(0)
  • 2020-11-28 01:30

    Here's an idea... Expire the session on browser close with the SESSION_EXPIRE_AT_BROWSER_CLOSE setting. Then set a timestamp in the session on every request like so.

    request.session['last_activity'] = datetime.now()
    

    and add a middleware to detect if the session is expired. something like this should handle the whole process...

    from datetime import datetime
    from django.http import HttpResponseRedirect
    
    class SessionExpiredMiddleware:
        def process_request(request):
            last_activity = request.session['last_activity']
            now = datetime.now()
    
            if (now - last_activity).minutes > 10:
                # Do logout / expire session
                # and then...
                return HttpResponseRedirect("LOGIN_PAGE_URL")
    
            if not request.is_ajax():
                # don't set this for ajax requests or else your
                # expired session checks will keep the session from
                # expiring :)
                request.session['last_activity'] = now
    

    Then you just have to make some urls and views to return relevant data to the ajax calls regarding the session expiry.

    when the user opts to "renew" the session, so to speak, all you have to do is set requeset.session['last_activity'] to the current time again

    Obviously this code is only a start... but it should get you on the right path

    0 讨论(0)
  • 2020-11-28 01:38

    In the first request, you can set the session expiry as

    self.request.session['access_key'] = access_key
    self.request.session['access_token'] = access_token
    self.request.session.set_expiry(set_age) #in seconds 
    

    And when using the access_key and token,

    try:
        key = self.request.session['access_key']
    except KeyError:
        age = self.request.session.get_expiry_age()
        if age > set_age:
            #redirect to login page
    
    0 讨论(0)
  • 2020-11-28 01:39

    I am just pretty new to use Django.

    I wanted to make session expire if logged user close browser or are in idle(inactivity timeout) for some amount of time. When I googled it to figure out, this SOF question came up first. Thanks to nice answer, I looked up resources to understand how middlewares works during request/response cycle in Django. It was very helpful.

    I was about to apply custom middleware into my code following top answer in here. But I was still little bit suspicious because best answer in here was edited in 2011. I took more time to search little bit from recent search result and came up with simple way.

    SESSION_EXPIRE_AT_BROWSER_CLOSE = True
    SESSION_COOKIE_AGE = 10 # set just 10 seconds to test
    SESSION_SAVE_EVERY_REQUEST = True
    

    I didn't check other browsers but chrome. 1. A session expired when I closed a browser even if SESSION_COOKIE_AGE set. 2. Only when I was idle for more than 10 seconds, A session expired. Thanks to SESSION_SAVE_EVERY_REQUEST, whenever you occur new request, It saves the session and updates timeout to expire

    To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. When set to True, Django will save the session to the database on every single request.

    Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.

    Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

    django manual 1.10

    I just leave answer so that some people who is a kind of new in Django like me don't spend much time to find out solution as a way I did.

    0 讨论(0)
  • 2020-11-28 01:40

    One easy way to satisfy your second requirement would be to set SESSION_COOKIE_AGE value in settings.py to a suitable amount of seconds. For instance:

    SESSION_COOKIE_AGE = 600      #10 minutes.
    

    However, by only doing this the session will expire after 10 minutes whether or not the user exhibits some activity. To deal with this issue, expiration time can be automatically renewed (for another extra 10 minutes) every time the user performs any kind of request with the following sentence:

    request.session.set_expiry(request.session.get_expiry_age())
    
    0 讨论(0)
  • 2020-11-28 01:42

    also you can use stackoverflow build in functions

    SESSION_SAVE_EVERY_REQUEST = True
    
    0 讨论(0)
提交回复
热议问题