I have a problem when using Django.I set :
session_expire_at_browser_close = true
So,When a user close the browser,his session expire.
Now I also record times of try to login in session.
request.session['try_times'] += 1
If a user try to many times,the website will ask for a verification code.
But because of the setting above,the session expire after restart the browser.
Is any method can meet the two requirements above at the same time?
That is to say,when the browser is closed,a user should be logout,and the 'try_times' should not be deleted.
Your can try to record the try_times on your server.
Related
Ours is a web application. The security team has suggested us to change cookie upon every escalation in the authorization.
Accordingly, I wanted to update the client side cookie after authentication. And I used the below code:
System.Web.HttpCookie cookie = Request.Cookies["ASP.NET_SessionId"];
System.Web.HttpCookie dummyCookie = new System.Web.HttpCookie("SessionId");
cookie.Value = dummyCookie.Value;
Response.Cookies.Add(cookie);
Problem is as soon as the cookie gets updated, the user is again taken as an unauthenticated user.
Thanks in advance.
I have implemented like below to handle this in my project.
When user browse the application login page. I am deleting the sessionid in the session-cookie using below code in the page load.
if(!IsPostBack)
{
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Session.RemoveAll();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
}
The above code will empty the sessionid in the session cookie. Now when user enter the appropriate credentials asp.net will create new session id automatically, so browser will get new session upon successful authentication. If user entered wrong credentials then using above code i am resetting the sessionid again so the new sessionid will automatically generated up on successful authentication.
Security tools no more showing session fixation issue after above implementation was in place in my project. I hope this helps.
I'm trying to ping Django from a javascript frontend to find out when a user's session will expire. I'm doing this so I can proactively notify a user when their session has expired.
Unfortunately, the session expire time is updated because I'm hitting the Django app. I've tried reading the session cookie from javascript, but it is not accessible (nor recommended to be accessible) from javascript.
How can I ping my Django app from javascript to get when the session will end?
What about passing the number of seconds until session will expire directly to your template/javascript? For example, you can get it using this method in your view function and pass it further.
I have implemented SESSION_EXPIRE_ON_BROWSER_CLOSE setting in my django application. I have a model A that is tied to the session key of current user session. So, when the user closes the browser session expires, how can I configure a Signal(or any other way) to update model A?
No. Session expiration is not an event, and the server knows nothing about when it happens.
The Django documentation states:
You can control whether the session framework uses browser-length
sessions vs. persistent sessions with the
SESSION_EXPIRE_AT_BROWSER_CLOSE setting.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use
browser-length cookies -- cookies that expire as soon as the user
closes his or her browser. Use this if you want people to have to log
in every time they open a browser.
This setting is a global default and can be overwritten at a
per-session level by explicitly calling the set_expiry() method of
request.session as described above in using sessions in views.
So when I set SESSION_EXPIRE_AT_BROWSER_CLOSE to True in my settings file, this indeed is what it does. This is good because I want a user's session to expire upon browser close. However, I also want a user's session to expire after, say, 15 minutes of inactivity. If I use set_expiry() mentioned above, the SESSION_EXPIRE_AT_BROWSER_CLOSE is overridden so if a user closes the browser and then re-opens the browser before the expiration, the session is still valid. Not what I want.
In addition, the documentation for set_expiry() says the sessions expires after the set amount of time of inactivity. That's actually not true. It expires no matter what, whether my user is clicking around on the site or not.
So to summarize, what I want to do is:
Have my sessions configured that if the user closes the browser, the session automatically expires.
Set a session expiration length that is updated with activity, i.e. if a user does something else on the site, the expiration is reset.
Thoughts/suggestions?
As Jiaaro suggested in this answer you can use SESSION_EXPIRE_AT_BROWSER_CLOSE and set a timestamp on session at each request and add a custom Middleware to handle the inactivity.
From docs https://docs.djangoproject.com/en/1.8/topics/http/sessions/#browser-length-sessions-vs-persistent-sessions
Some browsers (Chrome, for example) provide settings that allow users to continue browsing sessions after closing and re-opening the browser. In some cases, this can interfere with the SESSION_EXPIRE_AT_BROWSER_CLOSE setting and prevent sessions from expiring on browser close. Please be aware of this while testing Django applications which have the SESSION_EXPIRE_AT_BROWSER_CLOSE setting enabled.
Sessions expire when the user closes the browser:
This requirement implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
Reference
Sessions expire after a period of inactivity:
SESSION_COOKIE_AGE is the age of session cookies, in seconds.
Default: 1209600 (2 weeks, in seconds)
Reference
You should set these option on your setting/__init__.py
Search engine cache make sure then the session will be closed when TOGETHER with SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
By default, SESSION_EXPIRE_AT_BROWSER_CLOSE is set to False, which means session cookies will be stored in users’ browsers for as long as SESSION_COOKIE_AGE. Use this if you don’t want people to have to log in every time they open a browser.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use browser-length cookies – cookies that expire as soon as the user closes their browser. Use this if you want people to have to log in every time they open a browser.
we have a web service for some numerical computing. It has a registered mode, in which a user has to register to have its results sent by mail.
We would like to keep track of how long the user stays logged. The login time is written in the database upon successful registration. Registration in not permanent, it's just for the purpose of single session and is used for acquiring the user email.
There are a few situations possible:
User logs out normally via the logout button.
Simplest solution. Write the time and logout in the database, and delete session.
User logs out by session expiry.
I'm planning on having a script which would check all the database entries which don't have a set logout time and if current time - login time > expiry time write logout time in a database as login time + expiry time.
User logs out by browser close.
The sessions have a get_expire_at_browser_close() set to True. But i don't know how can the server detect browser closure.
Ideas, critics, comments?
In django session middleware these lines control session expiration if we want that SESSION_EXPIRE_AT_BROWSER_CLOSE:
if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
max_age = None
expires = None
Server doesn't have to do detect anything as cookie that has no max_age or expires set should be deleted on the client side, according to this page:
By setting either of these, the cookie will persist until its time runs out, otherwise—if you set neither—the cookie will last until you close your browser (a “session cookie”).
Edit:
One way of tracking how long user was online is by using javascript that will ping server every now and then. It will happen only as long as the user has page opened in browser and on every ping server should update last seen online value for the user.
When user closes browser session is over. Next time user logs in server can calculate duration of his last visit as last seen online - last login time.
Simpler solution without using any javascript: last seen online could be updated on every user request using simple custom middleware.