Opened 6 years ago

Closed 4 years ago

#15246 closed Bug (wontfix)

Allow to change session expiration without re-saving session data.

Reported by: Piotr Czachur Owned by: nobody
Component: contrib.sessions Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When authenticated user is accessing pages which don't modify the session, the session expiration time (stored both in COOKIE and in backend) isn't updated, so after settings.SESSION_COOKIE_AGE second he will be logged out despite he's been active for all the time. It's not fair :-). I'm aware that I can force to always update expiration time via settings.SESSION_SAVE_EVERY_REQUEST, it's just inefficient to save session data knowing it wasn't modified at all.

My proposition it to allow to change and save session expiration time without touching session data.

Attachments (1)

session_accessed_upd.diff (628 bytes) - added by Alex Alexapolsky 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 6 years ago by Russell Keith-Magee

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

comment:2 Changed 5 years ago by Łukasz Rekucki

Severity: Normal
Type: New feature

Changed 5 years ago by Alex Alexapolsky

Attachment: session_accessed_upd.diff added

comment:3 Changed 5 years ago by Alex Alexapolsky

Easy pickings: unset
Has patch: set
UI/UX: unset
Version: 1.3-alphaSVN

Isn't this ticket only about adding one more condition to django/contrib/sessions/middleware.py? (diff attached)

comment:4 Changed 4 years ago by anonymous

Type: New featureBug
Version: master1.4

Still a valid ticket in 1.4? Is the above patch helpful?

comment:5 Changed 4 years ago by Claude Paroz

Needs tests: set

comment:6 Changed 4 years ago by Aymeric Augustin

This is complicated :)

Expiration is handled both server-side and client-side. See this massive comment for a complete description of Django's current behavior. The patch above doesn't work because it only makes the session survive on the client-side. It will still be invalidated on the server side.


The cache session backend — which is a commendable choice if you have a cache server — won't be able to change the expiry time without re-saving the entire session. It isn't an operation supported by cache servers in general.

Currently, when a non-default expiry date is set, it's stored in the session. If #19201 is accepted, the expiry date will always be saved in the session. Since the session is signed, changing the expiry invalidates the signature, and requires re-saving the entire session.

For these two reasons, while your comment is valid — saving the entire session just to change the expiry date seems overkill — I don't believe it's possible to optimize the general case.


PS: an ugly (and untested) hack to keep sessions alive but only save them once a day:

import datetime
class SessionKeepAliveMiddleware(object):
    def process_request(self, request):
        today = str(datetime.date.today())
        if request.session['keepalive'] != today:
            request.session['keepalive'] = today

comment:7 Changed 4 years ago by Aymeric Augustin

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top