#35806 closed New feature (wontfix)
Allow the user to list and delete their sessions
Reported by: | Paolo Melchiorre | Owned by: | |
---|---|---|---|
Component: | contrib.sessions | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Goal
A user should be able to see which of their sessions are active.
Make it easy to see their current sessions.
If a user notices unusual actions on them, they should be able to stop those actions by locking the session.
Future
It might be useful in the future to add more information to sessions such as: unique device identifier, IP address
As a result, a device could always be connected to a session and a session is always connected to at least one device.
A device would be tracked with its last activity.
The same device would be updated every X seconds to track its usage in terms of duration of activity, based on the settings for that device.
Tracking data would be collected within the session itself.
This data would be updated in the database when needed (based on elapsed time) or in the cache, if sessions are stored there.
Each user should see data from their devices.
Administrators should be able to see all devices.
Change History (3)
comment:1 by , 7 weeks ago
comment:2 by , 7 weeks ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Hello Paolo! Thank you for taking the time to create this report requesting a new feature.
The documented guidelines for requesting features require seeking and gaining community consensus before accepting a ticket for a New Feature. Because of that, the recommended path forward is to first propose and discuss the idea with the community by starting a new conversation on the Django Forum.
I'll close the ticket for now, but if the community agrees with the proposal, please return to this ticket and reference the forum discussion so we can re-open it.
Personally, I feel that a feature like the one described is risky because:
- The information suggested to be recorded (IP address, device ID, country, etc.) are all part of PII which has to be treated with great care and must follow the regulations of various countries and regions.
- This would greatly increase the chance of receiving security reports, even if not all are valid, it would highly increase the workload for the Security Team.
Achieving this feature correctly feels very complex and challenging. At the very least I think we should have this as a new 3rd party app to have an idea of usage, acceptance, and implementation details.
comment:3 by , 7 weeks ago
This is implemented in the django-user-sessions Jazzband package.
https://pypi.org/project/django-user-sessions/
I think it may need some maintenance help to update to the latest Django, but it's been generally well looked after over the years.
Hello!
I think you need to first clarify what's the meaning of "user" here.
If you're talking about a web user who is interacting with the django server by sending requests, then can you clarify what's the meaning of "Allow the user to list and delete their sessions"? Because in my understanding, a web user can't execute any codes in the Django server. Also in a general point of view, Django’s built-in session management is intentionally abstracted from the end-user to keep interactions simple and intuitive.
From a server-side point of view, if you want to log out a user (clean session), you can just call logout function.
So in conclusion, can you make your ticket clearer?