Add link from Session object to User object

[David]

When designing web apps, a common pattern is presenting users with a list of existing sessions (and the subsequent ability to end any or all of their existing open sessions). This is useful for a number of security reasons, and allows users to make sure there are no open sessions they don't recognize.

However, currently Django has no direct link from a Session to an authenticated User. There are multiple projects (django-user-sessions and django-qsessions) that exist largely to add this functionality, and a series of blog and Stackoverflow threads advocating various other solutions including the use of a secondary UserSession model with ForeignKey fields linking to the current session and current user. This method is the least disruptive to stock Django, although not perfect either since the session isn't always saved by the time the logged_in signal fires.

Adding a user field to the existing Session model would add this significant functionality and remove the need for external packages and user workarounds. Systems that wanted to track additional information about sessions could still override and extend the model, but for many users a simple link from sessions to users would likely be sufficient. An additional field in the Session would would maintain backward compatibility as sessions could be updated to save the field as they were accessed again, and/or developers could be advised to clear existing sessions if they want to use this functionality from the start.

[Mariusz Felisiak]

Duplicate of #19449.

[David]

Sorry about that, hadn't been able to find an original issue and hadn't thought about non-DB backends.