Django session expires at browser close OR after time - django

The Django documentation states:
You can control whether the session framework uses browser-length
sessions vs. persistent sessions with the
SESSION_EXPIRE_AT_BROWSER_CLOSE setting.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use
browser-length cookies -- cookies that expire as soon as the user
closes his or her browser. Use this if you want people to have to log
in every time they open a browser.
This setting is a global default and can be overwritten at a
per-session level by explicitly calling the set_expiry() method of
request.session as described above in using sessions in views.
So when I set SESSION_EXPIRE_AT_BROWSER_CLOSE to True in my settings file, this indeed is what it does. This is good because I want a user's session to expire upon browser close. However, I also want a user's session to expire after, say, 15 minutes of inactivity. If I use set_expiry() mentioned above, the SESSION_EXPIRE_AT_BROWSER_CLOSE is overridden so if a user closes the browser and then re-opens the browser before the expiration, the session is still valid. Not what I want.
In addition, the documentation for set_expiry() says the sessions expires after the set amount of time of inactivity. That's actually not true. It expires no matter what, whether my user is clicking around on the site or not.
So to summarize, what I want to do is:
Have my sessions configured that if the user closes the browser, the session automatically expires.
Set a session expiration length that is updated with activity, i.e. if a user does something else on the site, the expiration is reset.
Thoughts/suggestions?

As Jiaaro suggested in this answer you can use SESSION_EXPIRE_AT_BROWSER_CLOSE and set a timestamp on session at each request and add a custom Middleware to handle the inactivity.

From docs https://docs.djangoproject.com/en/1.8/topics/http/sessions/#browser-length-sessions-vs-persistent-sessions
Some browsers (Chrome, for example) provide settings that allow users to continue browsing sessions after closing and re-opening the browser. In some cases, this can interfere with the SESSION_EXPIRE_AT_BROWSER_CLOSE setting and prevent sessions from expiring on browser close. Please be aware of this while testing Django applications which have the SESSION_EXPIRE_AT_BROWSER_CLOSE setting enabled.

Sessions expire when the user closes the browser:
This requirement implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
Reference
Sessions expire after a period of inactivity:
SESSION_COOKIE_AGE is the age of session cookies, in seconds.
Default: 1209600 (2 weeks, in seconds)
Reference
You should set these option on your setting/__init__.py

Search engine cache make sure then the session will be closed when TOGETHER with SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'

By default, SESSION_EXPIRE_AT_BROWSER_CLOSE is set to False, which means session cookies will be stored in users’ browsers for as long as SESSION_COOKIE_AGE. Use this if you don’t want people to have to log in every time they open a browser.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use browser-length cookies – cookies that expire as soon as the user closes their browser. Use this if you want people to have to log in every time they open a browser.

Related

Django SESSION_COOKIE_AGE vs set_expiry()

I have noticed different behavior between SESSION_COOKIE_AGE and set_expiry method. Usually, I am using set_expiry on login as it changes according to the user whether he/she selects REMEMBER BE or not.
I understand that if I set SESSION_SAVE_EVERY_REQUEST to True, this means that the expiration date will be updated every time on user activity. However, I noticed that the expiration date of the session is updated on user activity without setting SESSION_SAVE_EVERY_REQUEST (default: False) and without modifying the session. On the other side, it is not working that way if I set SESSION_COOKIE_AGE only without custom setting of set_expiry.
From the documentation, it is mentioned that if we set value using set_expiry:
the session will expire after that many seconds of inactivity
Is that means INACTIVITY in accessing the application or inactivity in modifying the session? And set_expiry equals SESSION_COOKIE_AGE plus SESSION_SAVE_EVERY_REQUEST=True?

What happen if Cookie 'Expires/Max-Age' is 'N/A' or not set

I tried to increase the cookie expiry time and activated sliding expiry.
But the cookie expiry is still "N/A"
what problems will it cause, why expiry is not shown. In this case what will happen to cookie. when will it expire.
It means the cookie will expire at the end of the session (when the browser closes, but not always).
When user privacy is a concern, It is important that any web app
implementation will invalidate cookie data after a certain timeout and
won't rely on the browser clearing session cookies.
One of the most beloved features of Firefox prevents session cookies from ever
expiring. The same issue is also occuring with google chrome (and
probably with other browsers offering similar features)

How to check session expiration on close of browser in Django?

Here is the scenario I wish to handle in Django application
User logs in web application.
SESSION_EXPIRE_AT_BROWSER_CLOSE is set to true.
User closes the browser window.
Now how to know receive the session info that session has been killed/Destroyed?
Obviously, you can't know that in Django since it is up to the browser to remove the cookie when session ends (browser is closed). If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, cookie will not include Expire value, which specifies lifetime of the cookie, and will thus be removed by browser when session ends.

Django, setting cookie

Django: Cookie set to expire in 30 seconds is actually expiring in 30 minutes? does
hr = HttpResponse('ok')
hr.set_cookie('user_id', user_id, max_age=30)
while https://stackoverflow.com/a/25179642/433570 does
request.session[user_id] = True
And both says we are setting cookie.
What's the difference between the two?
Can I set the expiration with the request.session method?
In short, cookies are intended to be stored in client side while sessions are stored in server-side (unless you're using cookie based session).
Users can clear http cookies from their browsers but they can't do anything about the sessions on your server. Clearing sessions is up you and your settings. There are some django settings you can use to determine their age like SESSION_COOKIE_AGE. For http cookies it's possible to set attributes like max_age, expires.
Choosing which one to use depends on your requirements; are you going to store sensitive data, is permanence important etc.
References:
Django sessions
Django request-response methods including set_cookie
Wikipedia HTTP cookies

Django session partially expired

I have a problem when using Django.I set :
session_expire_at_browser_close = true
So,When a user close the browser,his session expire.
Now I also record times of try to login in session.
request.session['try_times'] += 1
If a user try to many times,the website will ask for a verification code.
But because of the setting above,the session expire after restart the browser.
Is any method can meet the two requirements above at the same time?
That is to say,when the browser is closed,a user should be logout,and the 'try_times' should not be deleted.
Your can try to record the try_times on your server.