Code

Opened 5 years ago

Closed 5 years ago

#10518 closed (invalid)

Idle timeouts do not clear session information

Reported by: Huuuze <nospamus+django@…> Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: session timeout
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I have set the SESSION_COOKIE_AGE value in my settings.py file to expire sessions after 1 hour. Django successfully logs the user out of the session, however, the backend does not behave as one would expect in this situation. If a user logged out under normal conditions (i.e., clicks a "Logout" link), the session information is cleared from the "django.sessions" table. As such, I would expect an idle timeout (which is just a timed logout) to behave in the same manner. Unfortunately, Django simply creates a new session entry in the "django.sessions" table and the old, expired session remains in the table. The end result is a bloated "django.sessions" table that needs to be maintained through an external script.

Attachments (0)

Change History (3)

comment:1 follow-up: Changed 5 years ago by ikelly

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

comment:2 in reply to: ↑ 1 Changed 5 years ago by Huuuze <nospamus+django@…>

  • Resolution invalid deleted
  • Status changed from closed to reopened

Replying to ikelly:

This is the documented behavior. See http://docs.djangoproject.com/en/dev/topics/http/sessions/#clearing-the-session-table

I completely disagree with this assessment. Just because it's "documented behavior" doesn't make it correct.

Django terminates the session based upon the expiring cookie. As such, the timeout process should call "django.contrib.auth.logout", which clears out records from the django.sessions table.

How is the process of idling out any different from the user explicitly clicking a logout link? One is an implicit logout, whereas the other is an explicit logout. At the end of the day, its the same net result -- a user's session has ended. This behavior should be fixed.

comment:3 Changed 5 years ago by Alex

  • Resolution set to invalid
  • Status changed from reopened to closed

Django doesn't expire the cookie, the browser does. Further, please don't reopen tickets closed by commiters, feel free to bring it to the mailing list if you disagree with their decision.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.