Django File-based session doesn't expire

90 views
Skip to first unread message

ej

unread,
Apr 17, 2012, 7:11:28 PM4/17/12
to django-d...@googlegroups.com
File-based session backend doesn't expire, unlike db-backed and cache-based sessions. I'm not too sure if this is a bug or an intended (but undocumented) design. I am under the impression that all session backends should behave similarly.

If this is an intended design, can someone explains why this is the case?

Thanks.

ej

unread,
Apr 19, 2012, 2:44:23 PM4/19/12
to django-d...@googlegroups.com
Anyone?

Paul McMillan

unread,
Apr 19, 2012, 4:36:57 PM4/19/12
to django-d...@googlegroups.com
Hi,

This is explained in the docs about sessions:
https://docs.djangoproject.com/en/dev/topics/http/sessions/#clearing-the-session-table

We provide a job you can periodically run to remove expired sessions.
However, looking at the code, it appears that this only works for the
database backed sessions, and does not work for file-backed sessions.
In the usual case, the cookie expires out of the user's browser and so
they have no access to the session on disk, even if it is still
present, but this leaves you with an ever-growing directory of old
files on the disk.

As a practical matter, file-based sessions are extremely slow compared
to the other session backends, so they are not very common in
production environments.

If you'd like to open a ticket (or even write a patch), that would be
great. I would suggest two improvements (probably as separate
tickets). The first is to switch to using the new signing framework
for file-based sessions, which provides the option for stronger
datetime based integrity checking. The second would be to improve the
cleanup command so that it clears out file-based sessions in addition
to the database backed ones.

-Paul

> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-developers/-/tsclBizYprkJ.
>
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.

Reply all
Reply to author
Forward
0 new messages