bug of session middleware --- session never expires
王超
ludovic coues
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/030c570c-e085-431c-817f-27eb70e069d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Melvyn Sopacua
Hi,
On Sunday 25 December 2016 11:14:03 ludovic coues wrote:
> I believe that is the intended behaviour.
>
> When I use a banking site for example, I don't want to be disconnected
> while doing operations 5 minutes after login in. I want the session
> to expire when I stop using it.
There is actually 3 ways to handle sessions:
1) Session expires at fixed time in the future and is not extended by use (disruptive, almost never a good thing).
2) Session expires when not used for configured time. It is extended by use. Cookie is also extended (Django's behavior).
3) Session expires when not used for configured time. It is extended by use. Cookie has no expiration time and is expired when browser window is closed.
The 3rd is useful so that if you close your browser, someone else cannot resume your session even if the session is still valid and it still does not have the disruptive characteristics of the first method.
This 3rd method can be enabled using SESSION_EXPIRE_AT_BROWSER_CLOSE. See this link for information.
> > As pratical example, I set settings.SESSION_COOKIE_AGE=30. as long
> > as
> > I visited my site during `SESSION_COOKIE_AGE` , the cookie with
> > session_key will persist forever !
> >
> > What I want is that django will force session to expire if time past
> > `SESSION_COOKIE_AGE` seconds after the moment session_key generated.
> > So how to config my project ?
What is the reason you want this? It's almost never a good a thing. Only good case I can think of is in game or test settings, where you need to complete certain tasks within a set timeframe.
--
Melvyn Sopacua
Chaos Wong
在 2016年12月25日星期日 UTC+8下午6:14:27,ludovic coues写道:
I believe that is the intended behaviour.When I use a banking site for example, I don't want to be disconnected while doing operations 5 minutes after login in. I want the session to expire when I stop using it.Django's session middleware try to solve that use case which is what is needed 95% of the time.As your need is different, you will need something different than what django provide. Using a custom session store might be the simplest way. Inherit the one you are using and redefine get_expiry_age to return the remaining time to live.
On 24 Dec 2016 3:46 p.m., "王超" <wcs...@gmail.com> wrote:
django version is 1.10.4Jsut as the source code shows, session middleware will refresh expires_time with value time.time()+max_age, if the the status code of response is not 500.What was really weird is the variable `max_age` , which returned by function `request.session.get_expiry_age()`, always equals to settings.SESSION_COOKIE_AGE (positive integer).that leads to 'expire_date' stored in `django_session` table, is bigger time.time(). In the other words, this session item never expired in back-end db!!!what's more, session middleware will send the new `expires` to browser by call function response.set_cookie(), which means this session item never expired in user's browser too !!!As pratical example, I set settings.SESSION_COOKIE_AGE=30. as long as I visited my site during `SESSION_COOKIE_AGE` , the cookie with session_key will persist forever !What I want is that django will force session to expire if time past `SESSION_COOKIE_AGE` seconds after the moment session_key generated. So how to config my project ?
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/030c570c-e085-431c-817f-27eb70e069d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chaos Wong
在 2016年12月26日星期一 UTC+8上午5:24:07,Melvyn Sopacua写道:
Melvyn Sopacua
On Sunday 25 December 2016 18:42:16 Chaos Wong wrote:
> Thanks for the advice.
> It's indeed a rude way to force session to expire only depend on the
> absolute time. User always encounters session-expired event when
> posting something.
> I will consider your way 3). But how the django know user has closed
> the browser ?
It doesn't. The browser does.
When a cookie does not have an expiration time set, the cookie is not stored on disk but only in memory. When the browser is closed, the cookie is gone.
That means when the browser is opened again, it cannot send the session ID in the cookie anymore. This means a new session should be created (new login), and the old session should not be requested anymore and will eventually be evicted.
This also means that there will be a time window where the server session is valid, while the browser doesn't know about it anymore. So the old session could be taken over by someone listening on the wire. This is why encryption is paramount and browser now support Strict Transport Security.
--
Melvyn Sopacua