djangosession-timeout

Is there a way to combine behavior of SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE


For security reasons I set SESSION_EXPIRE_AT_BROWSER_CLOSE to true.

But, browser-length cookies (cookies that expire as soon as the user closes his or her browser) don't have a expire time, then SESSION_COOKIE_AGE has no effects (Yes, I check it). But I want to set a logout/timeout on inactivity plus to logout on browse closing.

My question is, What is the best way to implement inactivity timeout/logout in browser-length cookies scenario?


Solution

  • As you explain, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are not compatible. When you set an expiration date to a cookie, the cookie becomes a no browser-length cookie.

    In order to achieve your desired behaviour, you should set SESSION_EXPIRE_AT_BROWSER_CLOSE as True and control expire timeout by hand.

    An elegant way to control by hand expire timeout is:

    1. Create a new custom middleware that control timeout.
    2. Modify settings.py to enable your custom middleware (and sessions).

    The timeout custom middleware can looks like:

    # updated version that should work with django 1.10 middleware style
    # tested up to django 2.2
    
    import time
    from django.conf import settings
    from django.contrib.auth import logout
    
    
    class SessionIdleMiddleware:
        def __init__(self, get_response):
            self.get_response = get_response
    
        def __call__(self, request):
            if request.user.is_authenticated:
                if 'last_request' in request.session:
                    elapsed = time.time() - request.session['last_request']
                    if elapsed > settings.SESSION_IDLE_TIMEOUT:
                        del request.session['last_request'] 
                        logout(request)
                        # flushing the complete session is an option as well!
                        # request.session.flush()  
                request.session['last_request'] = time.time()
            else:
                if 'last_request' in request.session:
                    del request.session['last_request']
    
            response = self.get_response(request)
    
            return response
    

    Solution for ancient Django versions (pre 1.10)

    class timeOutMiddleware(object):
    
        def process_request(self, request):
            if request.user.is_authenticated():
                if 'lastRequest' in request.session:            
                    elapsedTime = datetime.datetime.now() - \
                                  request.session['lastRequest']
                    if elapsedTime.seconds > 15*60:
                        del request.session['lastRequest'] 
                        logout(request)
    
                request.session['lastRequest'] = datetime.datetime.now()
            else:
                if 'lastRequest' in request.session:
                    del request.session['lastRequest'] 
    
            return None
    

    Remember enable sessions in order to store lastRequest.

    This solution is wrote and tested be me and is now working in my site. This code has GNU license ;)

    New on django 1.6 ( ... two years later ... )

    Datetime and timedelta values are only serializable if you are using the PickleSerializer. If not, perhaps easy solution is translate datetime to unix timestamp and back. Be free to post below this translation.

    Edited

    django-session-security app provides a mechanism to logout inactive authenticated users. Take a look.