Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#8452 closed (invalid)

expire time in session being updated frequently

Reported by: TP Owned by: nobody
Component: contrib.sessions Version: 1.0-alpha-2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


We noticed that one of our user's session info in django_session has it's expire date moved into the future periodically. We are not calling set_expiry() on the session. My understanding was that the expire date was a constant for a given session key -- it is set when the session is created and never changes unless set_expiry() is called.

While reading through the Django Sessions docs, though, I noticed this bit:

To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. If SESSION_SAVE_EVERY_REQUEST is True, Django will save the session to the database on every single request.

Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.

Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

Does this mean that the cookie is sent whenever the session data changes and that this triggers the expiration date to move forward? If so, why is that? It seems that's the wrong behavior since I would think the expiration of someone's remembered login etc would have nothing to do with when the session data was last updated.

Change History (2)

comment:1 Changed 10 years ago by Malcolm Tredinnick

Resolution: invalid
Status: newclosed

The session expiry age is the period of inactivity after which the session will expire. The documentation could arguably be clarified to make this clearer, but the behaviour you're seeing is correct: every change to the session indicates it is not idle.

comment:2 Changed 10 years ago by TP

Should I open a docs ticket? The current docs make it sound (to me at least) like some of the expiration dates are absolute -- for example, passing a datetime to set_expiry says the session will expire at that datetime, no if ands or buts. But that doesn't sound like it's the case. Similarly, the setting SESSION_COOKIE_AGE says how long the session should live, not that every write to the session will push the expiration date out this many seconds.

Note: See TracTickets for help on using tickets.
Back to Top