Database session deletion

65 views

Skip to first unread message

George-Cristian Bîrzan

unread,

Jan 3, 2018, 6:56:39 AM1/3/18

to django-d...@googlegroups.com

The documentation explicitly mentions that expired sessions aren't automatically deleted from the database, except when the user manually logs out. [1]

That, however, isn't the case. Firstly, when trying to access a user whose password was changed, the session is deleted from the database. [2] This, to me, seems the correct behaviour, and I think there should be a bug filed against the docs.

There's also a second case where this happens. [3] This one is a bit harder to follow. The way I read it, if you're already logged in and log in again, OR if the password is different (this is the part I have trouble understanding, I guess this can only happen when you call login for the same user, but don't verify the password). The latter part was added in https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94da66694cf63 .

The first part, logging in as another user should act like a logout/login, but, the docs need a mention of it. The second, I don't really understand, so not sure whether what the change to the docs should say.

[1] - https://docs.djangoproject.com/en/2.0/topics/http/sessions/#clearing-the-session-store

[2] - https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L194

[3] - https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L99

George-Cristian Bîrzan

Adam Johnson

unread,

Jan 5, 2018, 5:08:51 PM1/5/18

to django-d...@googlegroups.com

Hi George-Cristian,

I agree, the 'clearing the session store' paragraph could be more explicit about what conditions sessions do get deleted. I encourage you to check https://docs.djangoproject.com/en/dev/internals/contributing/ , open a ticket, and make a PR with some updated wording :)

I also think the two cases you're looking at are part of the same logic to delete sessions for users whose passwords have changed, and these two code paths are implementing the same feature at different points. The first is during user-fetching (normally from request.user added by AuthenticationMiddleware), the second when login() is called on a non-logged in session (that may have been logged in previously, possibly).

Looking forward to your PR,

Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN%2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.