How to delete least recently used not expired django sessions?

[Web Architect]

Hi,

We are using persistent django sessions for our website where in the session information is stored in MySQL. Over last couple of years, the session data has grown to a huge number and we were planning to clean it up.

I know that there is a django management command 'clearsessions' and we are using the same as a daily cronjob.

But our challenge is we have long expiry timelines of like 100 years so that our users are never logged out (unless they clear their cookies etc). Hence, the clearsessions won't help. 

The solution we are looking for are removing the sessions which are never used for a long period. Let's say a user never came to our site for 3 months after last logging in. We would like to purge those sessions. Would really appreciate if anyone could suggest any such solution - be it in Django or if we need to custom build it.

Thanks.

[Mike Dewhirst]

What are the consequences of deleting all sessions and forcing a new
login for everyone?


>
> Thanks.
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Web Architect]

Hi Mike,

Thanks for your response. 

Ours is an ecommerce site and forcing logouts especially for our regular users, might not be desirable from business point of view . 

Hence, ideally we would like to keep sessions where users's last activity should be within a given time period like 3 months. We can force out the users who aren't active since last 3 months. 

Is there a way to do that in django?

Thanks.

> <mailto:django-users+unsub...@googlegroups.com>.

[HEMENDRA SINGH HADA]

Hi,

I can suggest one thing it might be useful for you. For this you need to create one more attribute in session table like last activity, which will update every time when user is logged in and perform some action. Write one middle-ware which will check the activity of each user and update last activity field in request repose cycle.

I am not sure will this approach is acceptable for your current scenario.

Thanks,

Hemendra Singh

[Jason]

With database sessions out of the box, no.

https://github.com/django/django/blob/master/django/contrib/sessions/base_session.py

You can see there are three attributes for a session model: key, data and expire_date

That said, since sessions are backed by browser cookies, django's default is two weeks for session cookies as you can see at https://docs.djangoproject.com/en/2.1/ref/settings/#std:setting-SESSION_COOKIE_AGE, which are used here:  https://github.com/django/django/blob/master/django/contrib/sessions/backends/base.py#L225-L244

So if you haven't altered that, all sessions expire in two weeks, and you can just delete those expired sessions by using the clearsessions management command.

if you have changed that, then what Hemendra suggested above seems like a reasonable approach, but one that is not backwards compatible if you don't have a timestamp field for last access 

[Mike Dewhirst]

On 18/08/2018 6:33 PM, Web Architect wrote:
> Hi Mike,
>
> Thanks for your response.
>
> Ours is an ecommerce site and forcing logouts especially for our
> regular users, might not be desirable from business point of view .

I wasn't suggesting forcing logouts on a regular basis. I was thinking
that doing so once would permit a clearing of the entire slate as you
seemed to be thinking and only real users would create new sessions.

That might be appropriate after you implement one or other of the
technical suggestions.

There is more to consider too. If it is an ecommerce site security is
particularly important. Personally I wouldn't hesitate to let regular
users know you have security at top-of-mind and that is behind any minor
inconvenience. It might even be seen as a business bonus!

> > an email to django-users...@googlegroups.com <javascript:>
> > <mailto:django-users...@googlegroups.com <javascript:>>.

> > To post to this group, send email to django...@googlegroups.com

> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.

> > Visit this group at https://groups.google.com/group/django-users

> <https://groups.google.com/group/django-users>.

> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com>
>
> >

> <https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com?utm_medium=email&utm_source=footer

> <https://groups.google.com/d/msgid/django-users/57001ae7-1361-43ed-98e3-a9ec072444fe%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com

> <mailto:django-users...@googlegroups.com>.

> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/django-users/a5867de1-730e-4d8c-93a1-0df41c65f595%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/a5867de1-730e-4d8c-93a1-0df41c65f595%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Web Architect]

Hi Hemendra, 

Thanks for the workaround. Would look at it's feasibility in our existing scenario. 

Thanks.

[Web Architect]

Hi Jason,

Thanks for your response.

As mentioned in my earlier post...I have a long expiry date for the sessions (and hence, the cookies)  as we want our users to be always logged in or in session (till they clear their cookies). And that's what is causing the issue. 

The goal is to keep the regular users logged in whereas flush out the non active users (even if their sessions haven't expired). Hence, was looking for a solution for the same. 

Thanks.

[Avraham Serour]

maybe something like this could be useful for your use case:

https://pypi.org/project/django-session-timeout/

it has an option for SESSION_EXPIRE_AFTER_LAST_ACTIVITY

maybe this could also be useful for you: https://django-session-security.readthedocs.io/en/latest/

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/4794450f-ad83-4a00-96e3-f354745b322b%40googlegroups.com.

[Michal Petrucha]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

There is another de-facto standard solution to this problem, which
does not involve setting the session expiry to years – it's usually
referred to as “persistent authentication cookie”. That way, sessions
would expire after the usual short period of time, and it also makes
the persistent login feature optional for your users.

I haven't found a maintained package that would implement this for
Django applications, but you can find a bunch of material on this
topic. For example, this article seems to consider a lot of potential
attack vectors:
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2

Michal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJben3lAAoJEHA7T/IPM/klRiMQAKnoqOWIrbQDiDcaARde9jl+
SuPfHZP/H44t7z610+CC2D03C4hps+7acQWslH2S+WFL/+VUJPqytGTWsAJbs12A
/R+UaIlwDGFMeRBw2xdDusZtbE4t+atGS5PPgr8hEW89/op9/DruSed1cVxoUiBp
pwNwBst+cieNhtBYpXBUCe8mRxRegc8xCz/pKRw9ZycszYgB4rTpDVwOFMmxPWuS
rKDRgMsXhYQskiGWi5oSHQ8xEgxBeGXdv3HnlwCm9TenXs1gfVQwbRhG4btivCUD
nzhpUTtHx3PP5/uDK0GM87MqB6ufuf7H/7QXgFKTWBZxSeOXwaxICsxYaG54DMld
hYxFk36RtjufWgcffQooBfw3eavtzAnPdjlZzEI3ZYj5fPx9agGJf177JAVSCovS
bppF1QbipuIfQlLyv7gee8bR6a6uLEQZ4vp9NHrfqWjXYqmIDxubnVB5B1/d6yvG
S9liRlkoGAWC9tTS5ig03QV1b4nBlJIonKIRBecrfJXHw3G2WojY8HAiSyyz9A4P
S/XcvOzK7dWsw/NUmx84GkR3SGfFeQor3bVWUeBhG6BBOjZq6cj+MHa2gZswIIYa
d6dHRCa4hyDwBLZDaEbI4EDbIkrY82L87PD9KW+0xbBYojwysQz8pL/3WHc8F1NL
0VXYCCnD/4/LdzywjR21
=njLP
-----END PGP SIGNATURE-----

[Web Architect]

Hi Avraham,

Thanks for the recommendation. Will take a look at the package. 

Thanks.

[Web Architect]

Hi,

Thanks for the approach. On our site, customers have option to do guest checkout wherein users can make a purchase without getting registered/signing up. We are still using session information for such users. Hence, the session is kind of combined for logged in and not logged in users. The challenge is to figured out the sessions for logged in users (atleast I am not aware of how to do that in Django).  

Typically in businesses, users (specifically the masses and who aren't that tech savvy) prefer a flow that's smooth and hassle free though security definitely becomes an important aspect. Hence, the challenge is to combine the both.

I would certainly look into the approach you have suggested. 

Thanks.