SESSION_COOKIE_AGE in global_settings.py
Matt
a user does not log out before closing his browser, then he can return
to the admin anytime within 2 weeks without being prompted to log in
again. Ideally I want the session cookie to be erased when the user
closes his browser, which would allow for indefinite session length (as
long as the browser remains open), but it would not allow someone to
return to the admin area without logging in again if he closes his
browser without logging out. If this is not possible, then I supposed
I could just change the cookie age to 12 hours so sessions would not
(very likely) persist for more than a day. I tried this in
global_settings.py:
SESSION_COOKIE_AGE = 0
and
SESSION_COOKIE_AGE = 1
...but it continues to set cookies that expire in 2 weeks. I am making
sure to log out, remove the cookie, and close my browser before
attempting to log in again after I change the setting. Also, I tried
restarting the test server after modifying the setting, but it seems
that Django is simply ignoring the setting. So, a couple questions...
Does SESSION_COOKIE_AGE = 0 force a user's browser to erase the cookie
when the browser closes, even if the browser is set to keep cookies
until they expire?
Why is Django not appying the changes I make in global_settings.py?
oggie rob
All that the SESSION_COOKIE_AGE changes is the expire_date on a
"session" entry in one of your database tables. If you change
SESSION_COOKIE_AGE, but are still logged in, then that date is still
going to be about two weeks in the future.
Try logging out, and setting the COOKIE_AGE to something more realistic
(like 60, for testing purposes).
As for SESSION_COOKIE_AGE = 0, if I remember correctly this just means
the expire_date is the maximum date the database can support. This
means the cookie will not be removed until the user manually logs out.
On the project website you will see that this was an intentional
design, although there is little discussion as to the pros and cons of
using this vs. the more typical behaviour (that you are describing).
You can set SESSION_SAVE_EVERY_REQUEST to True which might provide what
you want.
Really its all here tho :)
http://www.djangoproject.com/documentation/sessions/
-rob
Matt
I finally figured out one of my problems. Changing the setting in my
global_settings.py file was not affecting my project, so I had to add
the # SESSION # section (which includes SESSION_COOKIE_AGE,
SESSION_SAVE_EVERY_REQUEST, and a few others) to my project-specific
settings.py file.
Currently I'm using 43200 or something (12 hours), which should prevent
users from persisting sessions more than one day. I'll have to try the
..._REQUEST setting next to see if I can force the cookie to die when
the user's browser is closed.