Opened 14 years ago
Closed 12 years ago
#15246 closed Bug (wontfix)
Allow to change session expiration without re-saving session data.
| Reported by: | Piotr Czachur | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 1.4 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When authenticated user is accessing pages which don't modify the session, the session expiration time (stored both in COOKIE and in backend) isn't updated, so after settings.SESSION_COOKIE_AGE second he will be logged out despite he's been active for all the time. It's not fair :-). I'm aware that I can force to always update expiration time via settings.SESSION_SAVE_EVERY_REQUEST, it's just inefficient to save session data knowing it wasn't modified at all.
My proposition it to allow to change and save session expiration time without touching session data.
Attachments (1)
Change History (8)
comment:1 by , 14 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 14 years ago
| Severity: | → Normal |
|---|---|
| Type: | → New feature |
by , 13 years ago
| Attachment: | session_accessed_upd.diff added |
|---|
comment:3 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Has patch: | set |
| UI/UX: | unset |
| Version: | 1.3-alpha → SVN |
comment:4 by , 12 years ago
| Type: | New feature → Bug |
|---|---|
| Version: | master → 1.4 |
Still a valid ticket in 1.4? Is the above patch helpful?
comment:5 by , 12 years ago
| Needs tests: | set |
|---|
comment:6 by , 12 years ago
This is complicated :)
Expiration is handled both server-side and client-side. See this massive comment for a complete description of Django's current behavior. The patch above doesn't work because it only makes the session survive on the client-side. It will still be invalidated on the server side.
The cache session backend — which is a commendable choice if you have a cache server — won't be able to change the expiry time without re-saving the entire session. It isn't an operation supported by cache servers in general.
Currently, when a non-default expiry date is set, it's stored in the session. If #19201 is accepted, the expiry date will always be saved in the session. Since the session is signed, changing the expiry invalidates the signature, and requires re-saving the entire session.
For these two reasons, while your comment is valid — saving the entire session just to change the expiry date seems overkill — I don't believe it's possible to optimize the general case.
PS: an ugly (and untested) hack to keep sessions alive but only save them once a day:
import datetime
class SessionKeepAliveMiddleware(object):
def process_request(self, request):
today = str(datetime.date.today())
if request.session['keepalive'] != today:
request.session['keepalive'] = today
comment:7 by , 12 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Isn't this ticket only about adding one more condition to django/contrib/sessions/middleware.py? (diff attached)