Idle timeouts do not clear session information

[Huuuze <nospamus+django@…>]

I have set the SESSION_COOKIE_AGE value in my settings.py file to expire sessions after 1 hour. Django successfully logs the user out of the session, however, the backend does not behave as one would expect in this situation. If a user logged out under normal conditions (i.e., clicks a "Logout" link), the session information ​is cleared from the "django.sessions" table. As such, I would expect an idle timeout (which is just a timed logout) to behave in the same manner. Unfortunately, Django simply creates a new session entry in the "django.sessions" table and the old, expired session remains in the table. The end result is a bloated "django.sessions" table that needs to be maintained through an external script.

[Erin Kelly]

This is the documented behavior. See ​http://docs.djangoproject.com/en/dev/topics/http/sessions/#clearing-the-session-table

[Huuuze <nospamus+django@…>]

Replying to ikelly:

This is the documented behavior. See ​http://docs.djangoproject.com/en/dev/topics/http/sessions/#clearing-the-session-table

I completely disagree with this assessment. Just because it's "documented behavior" doesn't make it correct.

Django terminates the session based upon the expiring cookie. As such, the timeout process should call "django.contrib.auth.logout", which clears out records from the django.sessions table.

How is the process of idling out any different from the user explicitly clicking a logout link? One is an implicit logout, whereas the other is an explicit logout. At the end of the day, its the same net result -- a user's session has ended. This behavior should be fixed.

[Alex Gaynor]

Django doesn't expire the cookie, the browser does. Further, please don't reopen tickets closed by commiters, feel free to bring it to the mailing list if you disagree with their decision.