I'm developing an application in Django with some specific security requirements. One of them is to disable the default behaviour to automatically extend the expiry of sessions on activity. Yes, I want to sessions to expire unless explicitly renewed (e.g. re-login, renew token, etc. - not relevant right now).
How is this improving security? Well, a malicious user taking control over the PC of the victim will then only have access to the application with the victim authenticated for only a limited time.
Unfortunately, using django.contrib.sessions, this seems not configurable as the modification time of the session is being used thoroughly and in the very base of the backends (backends/base.py) for the server-side storage as well as in the middleware component (middleware.py) for the HTTP cookie. Also, the expiry is only accessible in the relative form to the modification time internally (SessionStore._session_expiry) as only the session data is being loaded into the session object. So, unless we ask the model directly (Session.objects.get(pk=s.session_key).expire_date - ugh, ugly), we don't know what the expire date is.
How do I implement this properly? Is this possible without reimplementing the methods get_expiry_* and the process_response() middleware function? I'd rather avoid that as I think it might break a later time in case Django gets updated.
Trying that out by setting a custom session variable to keep track of the expiry in my own terms (like in this answer) seems not only redundant, but it also confuses other apps/code asking SessionStore.get_expiry_age() while my middleware would enforce a different expiry. Therefore, I'm considering this approach to be too low in quality for my purposes.
Am I right in my assumptions above? Should I request this as a new feature and patch it myself in the meantime?
