Session expiration times
341 views
Skip to first unread message
TP
Aug 20, 2008, 12:50:08 PM8/20/08
to Django developers
I recently ran into what I thought was counter-intuitive session
expiration behavior. See ticket http://code.djangoproject.com/ticket/8452
for the details.
I don't mean to dig up topics that have been long debated, but I also
wonder if these semantics make sense?
If I log into a site and only happen to read from my session, my
session will log out in SESSION_COOKIE_AGE seconds (or whatever
set_expiry says). However, if I happen to do actions that cause writes
to my session then my session will expire in some hard-to-determine
point in the future. How to explain to a user when they will be logged
out -- X seconds after their last session write? I wrote the app and
I'm not even sure when the session is written to due to third party
libraries etc.
Further, for security reasons it seems like it's a good policy for
Django to ship with the default behavior for every session to
automatically expire SESSION_COOKIE_AGE seconds after the session was
created no matter what. If the app wants to push out the expiration
time every time the user is active, they can call set_expiry
explicitly. But I guess that's just one person's opinion.
Alternatively, for consistency, Django could update the expiry age
whenever the session is _read_ or written. Then the docs could simply
say the expiry age is updated whenever the session is used which is
very simple to understand: anytime someone comes back to the site
their session expiration time will renew. If they don't come back
within the expiration time, their session expires.
expiration behavior. See ticket http://code.djangoproject.com/ticket/8452
for the details.
I don't mean to dig up topics that have been long debated, but I also
wonder if these semantics make sense?
If I log into a site and only happen to read from my session, my
session will log out in SESSION_COOKIE_AGE seconds (or whatever
set_expiry says). However, if I happen to do actions that cause writes
to my session then my session will expire in some hard-to-determine
point in the future. How to explain to a user when they will be logged
out -- X seconds after their last session write? I wrote the app and
I'm not even sure when the session is written to due to third party
libraries etc.
Further, for security reasons it seems like it's a good policy for
Django to ship with the default behavior for every session to
automatically expire SESSION_COOKIE_AGE seconds after the session was
created no matter what. If the app wants to push out the expiration
time every time the user is active, they can call set_expiry
explicitly. But I guess that's just one person's opinion.
Alternatively, for consistency, Django could update the expiry age
whenever the session is _read_ or written. Then the docs could simply
say the expiry age is updated whenever the session is used which is
very simple to understand: anytime someone comes back to the site
their session expiration time will renew. If they don't come back
within the expiration time, their session expires.
Steve Holden
Aug 20, 2008, 2:37:38 PM8/20/08
to django-d...@googlegroups.com
TP wrote:
SESSION_SAVE_EVERY_REQUEST is by far the most sensible option, and the
default behavior for every other web framework I've used. Interaction of
any kind with the server should be taken as an indication that the
session user wants the session to remain alive.
At least it's documented, though ...
regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
Holden Web LLC http://www.holdenweb.com/
Reply all
Reply to author
Forward
0 new messages