Re: Anonymous session carries over to authenticated session
48 views
Skip to first unread message
Message has been deleted
Byron Ruth
Nov 15, 2011, 1:45:49 PM11/15/11
to Django developers
Here is the relevant code: https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L63-70
On Nov 15, 1:44 pm, Byron Ruth <bjr...@gmail.com> wrote:
> Posted original on the Django Users group because I thought I was
> missing something:http://groups.google.com/group/django-users/browse_thread/thread/a612...
>
> Per what Tom mentions on the Django Users thread:
>
> - an authenticated user logging in under a different account keeps the
> session key, but session data is flushed
> - a non-authenticated user keeps the session data but gets a new
> session key
>
> This behavior is confusing especially the latter since data was
> persisted pre-auth to post-auth even though the session key changed.
> There is certainly utility for persisting post-auth (e.g. e-commerce),
> but this is not documented anywhere.
>
> How would everyone feel about making this a setting, e.g.
> SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> otherwise it would flush the non-auth session.
On Nov 15, 1:44 pm, Byron Ruth <bjr...@gmail.com> wrote:
> Posted original on the Django Users group because I thought I was
> missing something:http://groups.google.com/group/django-users/browse_thread/thread/a612...
>
> Per what Tom mentions on the Django Users thread:
>
> - an authenticated user logging in under a different account keeps the
> session key, but session data is flushed
> - a non-authenticated user keeps the session data but gets a new
> session key
>
> This behavior is confusing especially the latter since data was
> persisted pre-auth to post-auth even though the session key changed.
> There is certainly utility for persisting post-auth (e.g. e-commerce),
> but this is not documented anywhere.
>
> How would everyone feel about making this a setting, e.g.
> SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> otherwise it would flush the non-auth session.
ptone
Nov 15, 2011, 2:27:39 PM11/15/11
to Django developers
On Nov 15, 10:44 am, Byron Ruth <bjr...@gmail.com> wrote:
>
> How would everyone feel about making this a setting, e.g.
> SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> otherwise it would flush the non-auth session.
say - there are reasons to not flush it.
but this doesn't seem to merit a setting in the face of the ever
growing problem of settings bloat.
If https://code.djangoproject.com/ticket/17209 comes to pass, this
could be something on a login class, but otherwise I think you are
better off just doing a custom login view if you want to flush the
session.
-Preston
Byron Ruth
Nov 15, 2011, 3:35:21 PM11/15/11
to Django developers
Indeed, all of the settings are slowly becoming unwieldy. I will write
my own `login()` function in the meantime, but the docs should
definitely be update to note this behavior.
On Nov 15, 2:27 pm, ptone <pres...@ptone.com> wrote:
> On Nov 15, 10:44 am, Byron Ruth <bjr...@gmail.com> wrote:
>
>
>
> > How would everyone feel about making this a setting, e.g.
> > SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> > otherwise it would flush the non-auth session.
>
> I do think the current behavior is worth a note in the docs - like you
> say - there are reasons to not flush it.
>
> but this doesn't seem to merit a setting in the face of the ever
> growing problem of settings bloat.
>
> Ifhttps://code.djangoproject.com/ticket/17209comes to pass, this
my own `login()` function in the meantime, but the docs should
definitely be update to note this behavior.
On Nov 15, 2:27 pm, ptone <pres...@ptone.com> wrote:
> On Nov 15, 10:44 am, Byron Ruth <bjr...@gmail.com> wrote:
>
>
>
> > How would everyone feel about making this a setting, e.g.
> > SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> > otherwise it would flush the non-auth session.
>
> I do think the current behavior is worth a note in the docs - like you
> say - there are reasons to not flush it.
>
> but this doesn't seem to merit a setting in the face of the ever
> growing problem of settings bloat.
>
Byron Ruth
Nov 15, 2011, 4:47:17 PM11/15/11
to Django developers
Ticket opened for documentation: https://code.djangoproject.com/ticket/17236
On Nov 15, 3:35 pm, Byron Ruth <bjr...@gmail.com> wrote:
> Indeed, all of the settings are slowly becoming unwieldy. I will write
> my own `login()` function in the meantime, but the docs should
> definitely be update to note this behavior.
>
> On Nov 15, 2:27 pm, ptone <pres...@ptone.com> wrote:
>
>
>
>
>
>
>
> > On Nov 15, 10:44 am, Byron Ruth <bjr...@gmail.com> wrote:
>
> > > How would everyone feel about making this a setting, e.g.
> > > SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> > > otherwise it would flush the non-auth session.
>
> > I do think the current behavior is worth a note in the docs - like you
> > say - there are reasons to not flush it.
>
> > but this doesn't seem to merit a setting in the face of the ever
> > growing problem of settings bloat.
>
> > Ifhttps://code.djangoproject.com/ticket/17209comesto pass, this
On Nov 15, 3:35 pm, Byron Ruth <bjr...@gmail.com> wrote:
> Indeed, all of the settings are slowly becoming unwieldy. I will write
> my own `login()` function in the meantime, but the docs should
> definitely be update to note this behavior.
>
> On Nov 15, 2:27 pm, ptone <pres...@ptone.com> wrote:
>
>
>
>
>
>
>
> > On Nov 15, 10:44 am, Byron Ruth <bjr...@gmail.com> wrote:
>
> > > How would everyone feel about making this a setting, e.g.
> > > SESSION_FLUSH_AT_LOGIN? If false, it would behave as it does now
> > > otherwise it would flush the non-auth session.
>
> > I do think the current behavior is worth a note in the docs - like you
> > say - there are reasons to not flush it.
>
> > but this doesn't seem to merit a setting in the face of the ever
> > growing problem of settings bloat.
>
Reply all
Reply to author
Forward
0 new messages