16

I am working on sessions in Django.

By default, django stores sessions in django_session, I found out there is no way to purge sessions.

Though clearsessions can be used to delete rows. It is also recommended to run this as a cron job. But doing this means logging out all logged-in users, right?

Is this the right way to do it?

Emile Bergeron
  • 17,074
  • 5
  • 83
  • 129
sachsure
  • 828
  • 1
  • 17
  • 30

3 Answers3

18

The Django documentation states (emphasis from me):

Clearing the session store

As users create new sessions on your website, session data can accumulate in your session store. If you’re using the database backend, the django_session database table will grow. If you’re using the file backend, your temporary directory will contain an increasing number of files.

To understand this problem, consider what happens with the database backend. When a user logs in, Django adds a row to the django_session database table. Django updates this row each time the session data changes. If the user logs out manually, Django deletes the row. But if the user does not log out, the row never gets deleted. A similar process happens with the file backend.

Django does not provide automatic purging of expired sessions. Therefore, it’s your job to purge expired sessions on a regular basis. Django provides a clean-up management command for this purpose: clearsessions. It’s recommended to call this command on a regular basis, for example as a daily cron job.

Note that the cache backend isn’t vulnerable to this problem, because caches automatically delete stale data. Neither is the cookie backend, because the session data is stored by the users’ browsers.

Found this link in Abid A's answer.

The clearsessions command

Can be run as a cron job or directly to clean out expired sessions.

So it won't log off every user.

As mentioned by Kevin Christopher Henry in a comment and in the other possible duplicate of your question flagged by e4c5.

user8193706
  • 2,387
  • 2
  • 8
  • 12
Emile Bergeron
  • 17,074
  • 5
  • 83
  • 129
  • this is okay!..but doing this will log out all logged in users..right? – sachsure Aug 03 '16 at 20:52
  • @sachsure I updated the answer with more info from the doc. – Emile Bergeron Aug 04 '16 at 00:21
  • @EmileBergeron, do you know if the clearsessions command can possibly return any result, so the log of the cron job has actually any trace of the partivular run? – Adrian Chrostowski Jun 06 '18 at 08:40
  • @AdrianChrostowski not sure since I can't test it right now, but I think django commands will return an error code if they fail. – Emile Bergeron Jun 06 '18 at 14:11
  • Why is that SLOW?. Since it boiles down to simple SQL, why is that slow? – jobima Aug 27 '18 at 12:16
  • @jobima What do you mean? Running the command on your project is slow for you right now? – Emile Bergeron Aug 27 '18 at 16:37
  • @EmileBergeron exactly. It takes a few minutes. Isn't it wierd? I want to use it on production site but I am worried it somehow blocks the other SQL petitions from the web. – jobima Aug 29 '18 at 12:45
  • @jobima it depends on the size of the database (lots of expired sessions?) and the spec of the server it runs on. That's why it's best to be clear sessions as a nightly cron job. – Emile Bergeron Aug 29 '18 at 14:23
16

  1. Django 1.6 or Above

    python manage.py clearsessions

  2. Django 1.5 or lower

    python manage.py cleanup

  3. From Django Shell

    from django.contrib.sessions.models import Session
Session.objects.all().delete()

  4. django-session-cleanup cronJob

  5. clearing session in logout( based on session key present in request)

from django.contrib.sessions.models import Session  
session_key = request.data['sessionKey']
session = Session.objects.get(session_key=session_key)
Session.objects.filter(session_key=session).delete()
Session.objects.all().delete()
HK boy
  • 1,398
  • 11
  • 17
  • 25
Roshan Bagdiya
  • 2,048
  • 21
  • 41
  • Getting a `'WSGIRequest' object has no attribute 'data'` in line `session_key = request.data['sessionKey']` – Qohelet Nov 25 '19 at 17:34
  • There's a logout() function for the fifth one above that does a bit more than your version (like sending signals). – mlissner Dec 02 '20 at 22:14
-2

The newer versions of Django allow:

request.session.clear()
Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
Andrew Skinner
  • 5
  • 1
  • 3
    Could you specify which are "the newer versions"? – gdvalderrama Feb 03 '20 at 10:07
  • 1
    This just clears the data in the current session dictionary, it doesn't answer the question at all. And it was already available a long time ago (since 1.8 at least), so it's not even new. – Emile Bergeron May 22 '20 at 15:39
  • -1. Very brief answer, doesn't explain what the command does or how to implement it, and apparently *does not in fact do what the OP asked for* so it's incorrect on top of that. Recommend deletion. – Shadur Dec 14 '22 at 13:44