How to detect inactivity session time out?

3,335 views
Skip to first unread message

ydjango

unread,
Feb 8, 2009, 3:07:28 PM2/8/09
to Django users
I am setting inactivity session time out using -
a) request.session.set_expiry(900) and
b) SESSION_COOKIE_AGE = 900

I believe both work exactly the same way. Please correct me if they
have any different behavior.

How do I detect this time out in my app and give user a page that they
have been timed out due to inactivity.
I am using django standard authentication using autheticate(), login()
and logout()


ydjango

unread,
Feb 9, 2009, 3:46:16 PM2/9/09
to Django users
Any one with a clue on

How do I detect time out in my app and give user a page that they have
been timed out due to inactivity.

I am using request.session.set_expiry(900) , SESSION_COOKIE_AGE =
900 and django standard authentication using autheticate(), login()
and logout().

Malcolm Tredinnick

unread,
Feb 9, 2009, 10:27:08 PM2/9/09
to django...@googlegroups.com

You don't need to do anything like this. The browser simply won't send
the session cookie if it's too old (the session expiry time is used to
compute the cookie expiry time).

Regards,
Malcolm


ydjango

unread,
Feb 11, 2009, 6:43:07 PM2/11/09
to Django users
Ok , so timeout happens on browser (client ) side, then i need to
figure out some javascript to do detect that.

I was hoping in django there is way to detect that no session cookie
was sent or session cookie is expired and then redirect to a page
with message " For your security, you have been logged out due to
inactivity. Please login again..."


On Feb 9, 7:27 pm, Malcolm Tredinnick <malc...@pointy-stick.com>
wrote:

Malcolm Tredinnick

unread,
Feb 11, 2009, 9:33:03 PM2/11/09
to django...@googlegroups.com
On Wed, 2009-02-11 at 15:43 -0800, ydjango wrote:
> Ok , so timeout happens on browser (client ) side, then i need to
> figure out some javascript to do detect that.

No, you don't.

>
> I was hoping in django there is way to detect that no session cookie
> was sent or session cookie is expired and then redirect to a page
> with message " For your security, you have been logged out due to
> inactivity. Please login again..."

You can use the login_required decorator on views to do that (one
example). You aren't really exploiting Django's session framework very
well here. It already knows about the differences between logged in
(authenticated) and logged out (anonymous) users. So have a read of the
sessions documentation (and auth documentation) and the login_required
decorator.

Regards,
Malcolm

ydjango

unread,
Feb 11, 2009, 10:50:04 PM2/11/09
to Django users
Thanks, I will read the documentation.
Hopefully it will tell me how to differentiate between user who logged
out because they clicked on logout and users who got logged out
because of inactivity and expiry.


On Feb 11, 6:33 pm, Malcolm Tredinnick <malc...@pointy-stick.com>
wrote:

Malcolm Tredinnick

unread,
Feb 11, 2009, 10:53:47 PM2/11/09
to django...@googlegroups.com
On Wed, 2009-02-11 at 19:50 -0800, ydjango wrote:
> Thanks, I will read the documentation.
> Hopefully it will tell me how to differentiate between user who logged
> out because they clicked on logout and users who got logged out
> because of inactivity and expiry.

There is no difference between those users. They are both not simply not
authenticated.

If you are wanting to do something special when a user selects "log
out", then you should write your own logout view and do it there.
However, again, I would question if you're solving the right problem
here. What you seemed to be asking to do (and this is the first time
you've mentioned different behaviour for those who actively logged out)
is saying that when a user visits a page that requires them to be logged
in (and they aren't logged in), they should be redirected to a login
page. Why does it matter whether they logged out or were timed out in
that case? In both situations, they need to be logged in to view that
page, so the same response is appropriate and suitable.

Regards,
Malcolm


ydjango

unread,
Feb 12, 2009, 12:40:24 AM2/12/09
to Django users

I put 15 minutes expiry/session cookie age in my django app
1) I logged into my application
2) I went to some page.
3) Left that page open in browser.
4) Came back after 16 minutes and clicked on a link on that open page
5) I was thrown to login home page.
As a user it is very confusing, did I do something wrong or did app
fail? what happened here. Explicit message " logged out due to
inactivity" helps.

Most bank and broker sites give explicit message " You have been
logged out due to inactivity "


On Feb 11, 7:53 pm, Malcolm Tredinnick <malc...@pointy-stick.com>
wrote:

Brett Parker

unread,
Feb 12, 2009, 4:47:16 AM2/12/09
to django...@googlegroups.com
On 11 Feb 21:40, ydjango wrote:
>
>
> I put 15 minutes expiry/session cookie age in my django app
> 1) I logged into my application
> 2) I went to some page.
> 3) Left that page open in browser.
> 4) Came back after 16 minutes and clicked on a link on that open page
> 5) I was thrown to login home page.
> As a user it is very confusing, did I do something wrong or did app
> fail? what happened here. Explicit message " logged out due to
> inactivity" helps.
>
> Most bank and broker sites give explicit message " You have been
> logged out due to inactivity "

OK - simplest way I can think of... off the top of my head...

Add a *second* cookie as well as the session cookie, this magic second
cookie just says wether or not they've visited the site, and if they did
wether they were logged in. Set a higher timeout on that cookie (maybe,
say, a day), and delete that cookie in the case of them actually logging
out rather than their login timing out.

Should be fairly easy to do from the login/logout views.

Cheers,
--
Brett Parker

Reply all
Reply to author
Forward
0 new messages