Opened 10 years ago

Closed 10 years ago

#10518 closed (invalid)

Idle timeouts do not clear session information

Reported by: Huuuze <nospamus+django@…> Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: session timeout
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I have set the SESSION_COOKIE_AGE value in my file to expire sessions after 1 hour. Django successfully logs the user out of the session, however, the backend does not behave as one would expect in this situation. If a user logged out under normal conditions (i.e., clicks a "Logout" link), the session information is cleared from the "django.sessions" table. As such, I would expect an idle timeout (which is just a timed logout) to behave in the same manner. Unfortunately, Django simply creates a new session entry in the "django.sessions" table and the old, expired session remains in the table. The end result is a bloated "django.sessions" table that needs to be maintained through an external script.

Change History (3)

comment:1 Changed 10 years ago by Ian Kelly

Resolution: invalid
Status: newclosed

comment:2 in reply to:  1 Changed 10 years ago by Huuuze <nospamus+django@…>

Resolution: invalid
Status: closedreopened

Replying to ikelly:

This is the documented behavior. See

I completely disagree with this assessment. Just because it's "documented behavior" doesn't make it correct.

Django terminates the session based upon the expiring cookie. As such, the timeout process should call "django.contrib.auth.logout", which clears out records from the django.sessions table.

How is the process of idling out any different from the user explicitly clicking a logout link? One is an implicit logout, whereas the other is an explicit logout. At the end of the day, its the same net result -- a user's session has ended. This behavior should be fixed.

comment:3 Changed 10 years ago by Alex Gaynor

Resolution: invalid
Status: reopenedclosed

Django doesn't expire the cookie, the browser does. Further, please don't reopen tickets closed by commiters, feel free to bring it to the mailing list if you disagree with their decision.

Note: See TracTickets for help on using tickets.
Back to Top