[Django] #35806: Allow the user to list and delete their sessions

[Django]

#35806: Allow the user to list and delete their sessions
-------------------------------------+-------------------------------------
Reporter: Paolo Melchiorre | Type: New
| feature
Status: new | Component:
| contrib.sessions
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
== Goal

A user should be able to see which of their sessions are active.

Make it easy to see their current sessions.

If a user notices unusual actions on them, they should be able to stop
those actions by locking the session.

== Future

It might be useful in the future to add more information to sessions such
as: unique device identifier, IP address
As a result, a device could always be connected to a session and a session
is always connected to at least one device.

A device would be tracked with its last activity.
The same device would be updated every X seconds to track its usage in
terms of duration of activity, based on the settings for that device.

Tracking data would be collected within the session itself.
This data would be updated in the database when needed (based on elapsed
time) or in the cache, if sessions are stored there.

Each user should see data from their devices.
Administrators should be able to see all devices.
--
Ticket URL: <https://code.djangoproject.com/ticket/35806>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#35806: Allow the user to list and delete their sessions

----------------------------------+--------------------------------------
Reporter: Paolo Melchiorre | Owner: (none)

Type: New feature | Status: new
Component: contrib.sessions | Version: dev

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Comment (by Shuyu Wu):

Hello!

I think you need to first clarify what's the meaning of "user" here.

If you're talking about a **web user who is interacting with the django
server by sending requests**, then can you clarify what's the meaning of
"Allow the user to list and delete their sessions"? Because in my
understanding, a web user can't execute any codes in the Django server.
Also in a general point of view, Django’s built-in session management is
intentionally abstracted from the end-user to keep interactions simple and
intuitive.

From a server-side point of view, if you want to log out a user (clean
session), you can just call logout function.


{{{
from django.contrib.auth import logout
from django.shortcuts import redirect

def logout_view(request):
logout(request)
return redirect('home')

}}}

So in conclusion, can you make your ticket clearer?
--
Ticket URL: <https://code.djangoproject.com/ticket/35806#comment:1>

[Django]

#35806: Allow the user to list and delete their sessions
----------------------------------+--------------------------------------
Reporter: Paolo Melchiorre | Owner: (none)

Type: New feature | Status: closed
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------

Changes (by Natalia Bidart):

* resolution: => wontfix
* status: new => closed

Comment:

Hello Paolo! Thank you for taking the time to create this report
requesting a new feature.

The [https://docs.djangoproject.com/en/stable/internals/contributing/bugs-
and-features/#requesting-features documented guidelines for requesting
features] require seeking and gaining community consensus before accepting
a ticket for a New Feature. Because of that, the recommended path forward
is to first propose and discuss the idea with the community by starting a
new conversation on the [https://forum.djangoproject.com/c/internals/5
Django Forum].

I'll close the ticket for now, but if the community agrees with the
proposal, please return to this ticket and reference the forum discussion
so we can re-open it.

Personally, I feel that a feature like the one described is risky because:

1. The information suggested to be recorded (IP address, device ID,
country, etc.) are all part of PII which has to be treated with great care
and must follow the regulations of various countries and regions.
2. This would greatly increase the chance of receiving security reports,
even if not all are valid, it would highly increase the workload for the
Security Team.

Achieving this feature correctly feels very complex and challenging. At
the very least I think we should have this as a new 3rd party app to have
an idea of usage, acceptance, and implementation details.
--
Ticket URL: <https://code.djangoproject.com/ticket/35806#comment:2>

[Django]

#35806: Allow the user to list and delete their sessions
----------------------------------+--------------------------------------
Reporter: Paolo Melchiorre | Owner: (none)
Type: New feature | Status: closed
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------

Comment (by Carlton Gibson):

This is implemented in the django-user-sessions Jazzband package.

https://pypi.org/project/django-user-sessions/

I think it may need some maintenance help to update to the latest Django,
but it's been generally well looked after over the years.
--
Ticket URL: <https://code.djangoproject.com/ticket/35806#comment:3>