31

I'm working on a website that requires us to log a user out after N minutes of inactivity. Are there any best practices for this using Django?

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
Brian Tol
  • 4,149
  • 6
  • 24
  • 27

5 Answers5

55

Take a look at the session middleware and its settings. Specifically these two:

SESSION_COOKIE_AGE

Default: 1209600 (2 weeks, in seconds)

The age of session cookies, in seconds.

SESSION_SAVE_EVERY_REQUEST

Default: False

Whether to save the session data on every request. If this is False (default), then the session data will only be saved if it has been modified -- that is, if any of its dictionary values have been assigned or deleted.

Setting a low SESSION_COOKIE_AGE and turning SESSION_SAVE_EVERY_REQUEST on should work to create "sliding" expiration.

Lance McNearney
  • 9,410
  • 4
  • 49
  • 55
4

Setting the session cookie age in the django session middleware just sets the expiry time in the set-cookie header passed back to the browser. It's only browser compliance with the expiry time that enforces the "log out".

Depending on your reasons for needing the idle log-out, you might not consider browser compliance with the expiry time good enough. In which case you'll need to extend the session middleware to do so.

For example you might store an expiry time in your session engine which you update with requests. Depending on the nature of traffic to your site, you may wish to only write back to the session object once in X seconds to avoid excessive db writes.

MattH
  • 37,273
  • 11
  • 82
  • 84
  • This doesn't seem to be true in Django 1.4. The Set-Cookie header I get back from the server looks like this: `Set-Cookie=csrftoken=... sessionid=365ede0dd7038cc70796f9f724bc21b6; httponly; Path=/` It doesn't have an expiration time, so the expiration must be enforced on the server side. – Nathan Aug 01 '12 at 03:09
  • Nice that the session middleware has been improved. I'm not sure what I should do about this answer that was accurate at the time. – MattH Aug 01 '12 at 09:54
  • I think it's fine to leave your answer as is because it was correct at time of writing. – Nathan Aug 02 '12 at 02:12
  • @Nathan: Ah, I've done a little more reading, there's a new session backend using cookies in Django 1.4. However, in your case, a cookie without an expiration time is a [Session Cookie](http://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie) which should be deleted when the browser closes. In this case Django isn't necessarily doing any form of "idle log-out". – MattH Aug 02 '12 at 10:03
4

On "settings.py", for session expiry time, set SESSION_COOKIE_AGE which is 1209600 seconds(2 weeks) by default and for inactive logout, set "True" to SESSION_SAVE_EVERY_REQUEST which is "False" by default as shown below:

# "settings.py"

SESSION_COOKIE_AGE = 180 # 3 minutes. "1209600(2 weeks)" by default 

SESSION_SAVE_EVERY_REQUEST = True # "False" by default
Henry Ecker
  • 34,399
  • 18
  • 41
  • 57
Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
0

Try setting settings.SESSION_COOKIE_AGE to N * 60 seconds.

http://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-age

Steve Jalim
  • 11,989
  • 1
  • 37
  • 54
0

Try install django-auto-logout. you can control downtime

AUTO_LOGOUT = {'IDLE_TIME': 600} # logout after 10 minutes of downtime

visit https://morioh.com/p/eb3e09781dbf

Cesar Galindo
  • 1
  • 1