I'm running a site on Django that has been in operation for a few years. We use sessions with a Redis cache backend. After a reasonably minor update of Django to 1.11.16 from an earlier 1.11.* version, we're seeing that user sessions are being ended for no obvious reason.
One dependable way to get a session to end is to navigate to a url that causes a history.replaceState() to replace the URL. As soon as that happens - the old sessions ends, the user is logged out, and a new session is started.
Any clues would help.
Related
How and when exactly does last_activity in Django sessions get updated? I've been testing a Django app, and my last activity in user sessions is logged as several days ago, even though I logged in yesterday as well. What could be going on?
That's a direct result of when sessions are saved
By default, Django only saves to the session database when the session
has been modified – that is if any of its dictionary values have been
assigned or deleted:
If you want to mark a user as being active, you can place the following code in key areas of your app to mark the session as being modified so that it will be saved again in the storage
request.session.modified = True
Alternatively you can use SESSION_SAVE_EVERY_REQUEST to make sure that the session gets saved on each and every request this of course comes with an extra hit to the db.
One of my Django websites was recently found by some crawler that went nuts over the login page, requesting it 100-200 times per minute for a couple days before I noticed. I only found out because my database backups started exploding in size, specifically because of the django_sessions table. I have django-admin.py clearsessions set to run daily to clean out expired sessions, but the millions of sessions created wouldn't be touched by the command. The crawler didn't actually try to log in, but
I ended up blocking the bot, adding rel='nofollow' to login links, and adding Disallow: /login/ to robots.txt, but for the long-term this still suggests that something can come along and fill up my database with garbage. How do I avoid this? I don't know why I even care about sessions for users that aren't logged in, can I restrict sessions to them?
My sessions middleware is django.contrib.sessions.middleware.SessionMiddleware and I haven't specified the SESSION_ENGINE (so it's default, I presume).
I'm building a web app with Flask-login, but sometimes I find myself logged in as another user instead of myself.
It happens if I passed the "remember=True" parameter during my last logging in, but not always.
I'm wondering whether it's a bug in Flask-login or just a bug in my code. How can I fix this?
As #doobeh mentioned in a comment earlier -- the way Flask-Login works is by grabbing user information from session data.
If your session information gets messed up somehow, this could cause problems for you.
To wipe your sessions, chance your SECRET_KEY setting to a new random string, then restart your Flask service -- this will invalidate all old sessions and force users to re-authenticate.
This should do it!
How do I track sessions in Django even after a user has logged in or out? I am using Django authentication.
For example, a user lands on the main page, and maybe follows a few links on my site. Then he logs in. Logs out. Follows some links. I want to track that this is the same user, or at least someone using the same browser session.
I am currently tracking
request.user.id
which is, of course, specific for a logged in user.
I thought I could use
request.session.session_key
to track the session, but the session_key changes when the user logs in and again when he logs out.
(What I really want to know is whether the person who lands on my page also logs in / signs up.)
Don't rely on the session cookie for this (because indeed, Django automatically rotates it across login / logouts — mainly to prevent session fixation attacks).
Instead, just create your own cookie, and track users that way.
I'm working on a site that uses Django 1.2.5. It uses the Django authentication backend to log users in and out. This, in turn, uses the Django session framework to set cookies. It appears that cookies set by Django's session backend expire after 2 weeks. I've gotten complaints from users that they are being logged out of their accounts and have to be log back in, and I suspect this is due to the fact that cookies are expiring after 2 weeks. I have SESSION_COOKIE_AGE to 1 year (i.e, 31556926 seconds) but I don't know if that's the best solution to this problem -- I'm not sure if it'll have unintentional side effects.
Is there a way to keep users logged in indefinitely (i.e., keep them logged in until they manually log out)? I haven't found a setting, but any solution (e.g., middleware or the like) would be acceptable.
The only way to extend session life is through longer-lived cookies. Every other method of user identification (e.g. IP + user-agent) suffers from ambiguity and, therefore, has security issues.
I created a simple middleware that updates user session cookies periodically, which eliminates the described problem.
https://github.com/IlyaSemenov/django-everlasting-sessions