Opened 5 years ago

Closed 4 years ago

#15246 closed Bug (wontfix)

Allow to change session expiration without re-saving session data.

Reported by: zimnyx Owned by: nobody
Component: contrib.sessions Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


When authenticated user is accessing pages which don't modify the session, the session expiration time (stored both in COOKIE and in backend) isn't updated, so after settings.SESSION_COOKIE_AGE second he will be logged out despite he's been active for all the time. It's not fair :-). I'm aware that I can force to always update expiration time via settings.SESSION_SAVE_EVERY_REQUEST, it's just inefficient to save session data knowing it wasn't modified at all.

My proposition it to allow to change and save session expiration time without touching session data.

Attachments (1)

session_accessed_upd.diff (628 bytes) - added by aalexapolsky 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 5 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 5 years ago by lrekucki

  • Severity set to Normal
  • Type set to New feature

Changed 5 years ago by aalexapolsky

comment:3 Changed 5 years ago by aalexapolsky

  • Easy pickings unset
  • Has patch set
  • UI/UX unset
  • Version changed from 1.3-alpha to SVN

Isn't this ticket only about adding one more condition to django/contrib/sessions/ (diff attached)

comment:4 Changed 4 years ago by anonymous

  • Type changed from New feature to Bug
  • Version changed from master to 1.4

Still a valid ticket in 1.4? Is the above patch helpful?

comment:5 Changed 4 years ago by claudep

  • Needs tests set

comment:6 Changed 4 years ago by aaugustin

This is complicated :)

Expiration is handled both server-side and client-side. See this massive comment for a complete description of Django's current behavior. The patch above doesn't work because it only makes the session survive on the client-side. It will still be invalidated on the server side.

The cache session backend — which is a commendable choice if you have a cache server — won't be able to change the expiry time without re-saving the entire session. It isn't an operation supported by cache servers in general.

Currently, when a non-default expiry date is set, it's stored in the session. If #19201 is accepted, the expiry date will always be saved in the session. Since the session is signed, changing the expiry invalidates the signature, and requires re-saving the entire session.

For these two reasons, while your comment is valid — saving the entire session just to change the expiry date seems overkill — I don't believe it's possible to optimize the general case.

PS: an ugly (and untested) hack to keep sessions alive but only save them once a day:

import datetime
class SessionKeepAliveMiddleware(object):
    def process_request(self, request):
        today = str(
        if request.session['keepalive'] != today:
            request.session['keepalive'] = today

comment:7 Changed 4 years ago by aaugustin

  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.
Back to Top