Opened 13 years ago

Closed 11 years ago

#15246 closed Bug (wontfix)

Allow to change session expiration without re-saving session data.

Reported by: Piotr Czachur Owned by: nobody
Component: contrib.sessions Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When authenticated user is accessing pages which don't modify the session, the session expiration time (stored both in COOKIE and in backend) isn't updated, so after settings.SESSION_COOKIE_AGE second he will be logged out despite he's been active for all the time. It's not fair :-). I'm aware that I can force to always update expiration time via settings.SESSION_SAVE_EVERY_REQUEST, it's just inefficient to save session data knowing it wasn't modified at all.

My proposition it to allow to change and save session expiration time without touching session data.

Attachments (1)

session_accessed_upd.diff (628 bytes ) - added by Alex Alexapolsky 12 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 by Russell Keith-Magee, 13 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Łukasz Rekucki, 13 years ago

Severity: Normal
Type: New feature

by Alex Alexapolsky, 12 years ago

Attachment: session_accessed_upd.diff added

comment:3 by Alex Alexapolsky, 12 years ago

Easy pickings: unset
Has patch: set
UI/UX: unset
Version: 1.3-alphaSVN

Isn't this ticket only about adding one more condition to django/contrib/sessions/middleware.py? (diff attached)

comment:4 by anonymous, 12 years ago

Type: New featureBug
Version: master1.4

Still a valid ticket in 1.4? Is the above patch helpful?

comment:5 by Claude Paroz, 12 years ago

Needs tests: set

comment:6 by Aymeric Augustin, 11 years ago

This is complicated :)

Expiration is handled both server-side and client-side. See this massive comment for a complete description of Django's current behavior. The patch above doesn't work because it only makes the session survive on the client-side. It will still be invalidated on the server side.


The cache session backend — which is a commendable choice if you have a cache server — won't be able to change the expiry time without re-saving the entire session. It isn't an operation supported by cache servers in general.

Currently, when a non-default expiry date is set, it's stored in the session. If #19201 is accepted, the expiry date will always be saved in the session. Since the session is signed, changing the expiry invalidates the signature, and requires re-saving the entire session.

For these two reasons, while your comment is valid — saving the entire session just to change the expiry date seems overkill — I don't believe it's possible to optimize the general case.


PS: an ugly (and untested) hack to keep sessions alive but only save them once a day:

import datetime
class SessionKeepAliveMiddleware(object):
    def process_request(self, request):
        today = str(datetime.date.today())
        if request.session['keepalive'] != today:
            request.session['keepalive'] = today

comment:7 by Aymeric Augustin, 11 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top