Code

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#8452 closed (invalid)

expire time in session being updated frequently

Reported by: TP Owned by: nobody
Component: contrib.sessions Version: 1.0-alpha-2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

We noticed that one of our user's session info in django_session has it's expire date moved into the future periodically. We are not calling set_expiry() on the session. My understanding was that the expire date was a constant for a given session key -- it is set when the session is created and never changes unless set_expiry() is called.

While reading through the Django Sessions docs, though, I noticed this bit:

To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. If SESSION_SAVE_EVERY_REQUEST is True, Django will save the session to the database on every single request.

Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.

Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

Does this mean that the cookie is sent whenever the session data changes and that this triggers the expiration date to move forward? If so, why is that? It seems that's the wrong behavior since I would think the expiration of someone's remembered login etc would have nothing to do with when the session data was last updated.

Attachments (0)

Change History (2)

comment:1 Changed 6 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

The session expiry age is the period of inactivity after which the session will expire. The documentation could arguably be clarified to make this clearer, but the behaviour you're seeing is correct: every change to the session indicates it is not idle.

comment:2 Changed 6 years ago by TP

Should I open a docs ticket? The current docs make it sound (to me at least) like some of the expiration dates are absolute -- for example, passing a datetime to set_expiry says the session will expire at that datetime, no if ands or buts. But that doesn't sound like it's the case. Similarly, the setting SESSION_COOKIE_AGE says how long the session should live, not that every write to the session will push the expiration date out this many seconds.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.