Google Groups

Re: Django File-based session doesn't expire

Paul McMillan Apr 19, 2012 1:36 PM
Posted in group: Django developers (Contributions to Django itself)

This is explained in the docs about sessions:

We provide a job you can periodically run to remove expired sessions.
However, looking at the code, it appears that this only works for the
database backed sessions, and does not work for file-backed sessions.
In the usual case, the cookie expires out of the user's browser and so
they have no access to the session on disk, even if it is still
present, but this leaves you with an ever-growing directory of old
files on the disk.

As a practical matter, file-based sessions are extremely slow compared
to the other session backends, so they are not very common in
production environments.

If you'd like to open a ticket (or even write a patch), that would be
great. I would suggest two improvements (probably as separate
tickets). The first is to switch to using the new signing framework
for file-based sessions, which provides the option for stronger
datetime based integrity checking. The second would be to improve the
cleanup command so that it clears out file-based sessions in addition
to the database backed ones.


On Thu, Apr 19, 2012 at 11:44 AM, ej <> wrote:
> Anyone?
> On Tuesday, April 17, 2012 4:11:28 PM UTC-7, ej wrote:
>> File-based session backend doesn't expire, unlike db-backed and
>> cache-based sessions. I'm not too sure if this is a bug or an intended (but
>> undocumented) design. I am under the impression that all session backends
>> should behave similarly.
>> If this is an intended design, can someone explains why this is the case?
>> Thanks.
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To view this discussion on the web visit
> To post to this group, send email to
> To unsubscribe from this group, send email to
> For more options, visit this group at