Sessions Unexpectedly Causing Logout
SnappyDjangoUser
the site and redirected to the login page. They must re-enter
credentials before being able to continue browsing the site. The
weird thing is I only see this on my production machine and not on my
development box (both serving via Apache and mod_python, although
different versions. I also have a different mysql database version in
production than on my development box).
Does anyone have any suggestions on how to debug? I do not know
enough details about how sessions work to know where to start
debugging.
I am using the built-in auth.views import login, login_required,
logout_then_login methods to handle session creation. I am using the
default SESSION_COOKIE_AGE of 2 weeks and I set
SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
I have looked at the django_session table and the table is small since
the site just launched and there are no expired sessions in the table.
The weird thing is that I do not see session entires deleted from the
django_session table when the user selects logout (and
auth.views.logout_then_login is called). I also do not see consistent
behavior of session entires being created in django_sessions when the
upon user login (auth.views.login is called).
Any guidance would be appreciated. Thanks!
Malcolm Tredinnick
> I am having a weird issue in which users are randomly logged out of
> the site and redirected to the login page. They must re-enter
> credentials before being able to continue browsing the site. The
> weird thing is I only see this on my production machine and not on my
> development box (both serving via Apache and mod_python, although
> different versions. I also have a different mysql database version in
> production than on my development box).
>
> Does anyone have any suggestions on how to debug? I do not know
> enough details about how sessions work to know where to start
> debugging.
You would need to catch the problem in action. Put some debugging code
in to catch the redirect. If you're using something like a
login_required decorator, write your own version that captures some
debugging information before redirecting. You should be trying to work
out why the authorisation check is failing: Is it because the necessary
cookie isn't being sent? Is it because the cookie is being sent and the
corresponding row in the database isn't being found? Try to think of a
few possibilities and log whatever information might be useful to track
them down.
>
> I am using the built-in auth.views import login, login_required,
> logout_then_login methods to handle session creation. I am using the
> default SESSION_COOKIE_AGE of 2 weeks and I set
> SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
>
> I have looked at the django_session table and the table is small since
> the site just launched and there are no expired sessions in the table.
>
> The weird thing is that I do not see session entires deleted from the
> django_session table when the user selects logout (and
> auth.views.logout_then_login is called).
How are you looking for deletions? By counting the number of entries in
the table? Because that wouldn't be valid. Even non-logged in users
generate entries in the session table (sessions are not, by themselves,
an indication of authentication). So, "deletions", per se, won't really
be noticeable in the sessions table unless you have a lot of expired
sessions and run some script to delete any expired ones.
When a user logs out, the entry for their current session id is deleted
and a new entry is created for the new (anonymous user) session more or
less at the same time. So the number of entries in the session table
won't change.
> I also do not see consistent
> behavior of session entires being created in django_sessions when the
> upon user login (auth.views.login is called).
What do you mean by "consistent"? Again, the number of entries in the
table won't change when somebody logs in. The value of their session id
will change, but the existence or otherwise, since everybody has a
session id associated with their interaction with the site.
Regards,
Malcolm
Graham Dumpleton
the same host?
Used to be the case, not sure now, that the session cookie path would
be set to '/' meaning that you see interference between multiple sites
under same host if they all use login. To avoid this, easiest thing to
do is set SESSION_COOKIE_NAME differently for each site.
If the sites are not overlapping, could also set SESSION_COOKIE_PATH
to be their actual URL mount point rather than slash.
Graham
SnappyDjangoUser
for a short while, but I am now back.
In response to Graham's question, I am not running multiple Django
applications on the same host. This is one Django app on one host.
Malcolm, thank you for the brief introduction to session key
generation. I was indeed counting the number of rows in the
django_session table and expecting additions and deletions upon login/
logout. I now understand that this is not to be expected.
I have tried stepping through the code to catch the problem in action,
but have thus far been unable to find where the error is. My site
uses the the @login_required() decorator on each method, but for
debugging I moved it into my view function and walked through the
function calls into the Django code.
One thing I noticed is that is_authenticated() in /<path_to_python>/
django/contrib/auth/models.py is hard coded to always return True. I
thought this was odd and do not understand the rational. Is there a
specific method that performs the authentication that I have
overlooked? If someone knows off the top of their head could you
point me in the direction of that method?
I do want to point out that overrode the authentication and am
performing an LDAP authentication on my own instead of using
django.contrib.auth.backends. Maybe this is a contributing factor....
Does anyone know if it is necessary to write my own is_authenticated()
method since I am doing my own authentication?
Thanks,
Brian
On Feb 3, 6:10 pm, Graham Dumpleton <Graham.Dumple...@gmail.com>
wrote:
>
>
>
> > I am having a weird issue in which users are randomly logged out of
> > the site and redirected to the login page. They must re-enter
> > credentials before being able to continue browsing the site. The
> > weird thing is I only see this on my production machine and not on my
> > development box (both serving via Apache and mod_python, although
> > different versions. I also have a different mysql database version in
> > production than on my development box).
>
> > Does anyone have any suggestions on how to debug? I do not know
>
> > I am using the built-in auth.views import login, login_required,
> > logout_then_login methods to handle session creation. I am using the
> > default SESSION_COOKIE_AGE of 2 weeks and I set
> > SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
>
> > I have looked at the django_session table and the table is small since
Malcolm Tredinnick
> Sorry for my recent absence in replies.... I was away from this work
> for a short while, but I am now back.
>
> In response to Graham's question, I am not running multiple Django
> applications on the same host. This is one Django app on one host.
>
> Malcolm, thank you for the brief introduction to session key
> generation. I was indeed counting the number of rows in the
> django_session table and expecting additions and deletions upon login/
> logout. I now understand that this is not to be expected.
>
> I have tried stepping through the code to catch the problem in action,
> but have thus far been unable to find where the error is. My site
> uses the the @login_required() decorator on each method, but for
> debugging I moved it into my view function and walked through the
> function calls into the Django code.
>
> One thing I noticed is that is_authenticated() in /<path_to_python>/
> django/contrib/auth/models.py is hard coded to always return True.
That isn't correct. It always returns true for the User model, but not
for the AnonymousUser model (which is also in that file). This is
because a User model instance is only created for an authenticated user
by the auth application (if they aren't authenticated, an AnonymousUser
instance is created).
> I
> thought this was odd and do not understand the rational. Is there a
> specific method that performs the authentication that I have
> overlooked?
http://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.authenticate
Regards,
Malcolm