Why doesn't SESSION_EXPIRE_AT_BROWSER_CLOSE = True log the user out when the browser is closed?

Question

According to Django documentation, \"if SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use browser-length cookies -- cookies that expire as soon as the user clo

Answer 1

Closing the tab or window does not count as closing the browser. Make sure you quit the browser program to end a browser session.

If that does not help, use FireBug in firefox or Web Inspector in Safari to double check the headers in the response on your initial page hit. The initial page hit can be one of many things; when you first open the browser, when you logout or immediately after clearing cookies. With SESSION_EXPIRE_AT_BROWSER_CLOSE = True you should see something like this in the header:

Set-Cookie:sessionid=f4c06139bc46a10e1a30d5f0ab7773e2; Path=/

And when SESSION_EXPIRE_AT_BROWSER_CLOSE = False an expires=... value will be added:

Set-Cookie:sessionid=a532f3d7dc314afc58e8f676ed72280e; expires=Wed, 03-Nov-2010 17:08:45 GMT; Max-Age=1209600; Path=/

If you have a hard time seeing the Set-Cookie header because of redirects you can try using django-debug-toolbar to break the redirects up into multiple pages.

Answer 2

The change will not apply unless you run the manage.py syncdb again.

Answer 3

@istruble and @haasfsafas are both correct. The solution is to

1. Set SESSION_EXPIRE_AT_BROWSER_CLOSE = True
2. Delete the rows in the django_session table to clear out any sessions that might cause confusion. (delete from django_session)
3. Recognize that all of the windows and tabs in your browser must be closed in order for the session to expire. That's browser behavior; not Django behavior.

Answer 4

You have to cleanup the sessions in DB:

delete FROM django_session