0

I have created a login page for my application and set the session out for 3 minutes and it is working fine, but the problem is when session out happened the user is still able to do many activities on the current page i.e the logout page do not show until unless user do a page refresh or redirect to the other page. So, how is it possible to do the logout once the session out and user do any of the activity on the current page?

bSr
  • 1,410
  • 3
  • 16
  • 30
  • Possible duplicate [here](https://stackoverflow.com/questions/3024153/how-to-expire-session-due-to-inactivity-in-django) and [here](https://stackoverflow.com/questions/14830669/how-to-expire-django-session-in-5minutes). – abybaddi009 Feb 22 '18 at 12:16
  • Those answers are about how to set session out in Django, which I have done. The problem is if session out happened for a particular user then either automatically logout page should be redirected or on the first click, it should be logged out which is not happening. – bSr Feb 22 '18 at 13:28

1 Answers1

0

You can run a javascript setTimeout in the background which will check if user is logged in and after three minutes the browser window will refresh.

OR (better)

You can run this timer server-side and when the client would try to change something, firstly look at the timer or the value where is the time until when is the client logged in and then based on the time perform the action or not. So After you three minutes interval user would be able to see the content but when he would try to change something the backend would reject the request and would require him to log in again.

It is much better solution because when it comes to the authentication and similar things, it's better everytime to do them server-side rather than in client browser so that it could not be exploited.

BUT

Both solutions can be applied simultaneously (so that client's browser would reload the window and redirect client to the login page and server would reject the request so that data would not be modified in any way).

Kryštof Řeháček
  • 1,965
  • 1
  • 16
  • 28
  • At the given time, more than one user can be active, how would we know, which user we need to log out? And one more thing that timer is not fixed is django, the session timer will only out when user will not do any activities. – bSr Feb 22 '18 at 09:27
  • Yeah. Consider having a field `last_action` on the user model which will update at logged user's last action and then checking this field against the specified interval on every request. – Kryštof Řeháček Feb 22 '18 at 09:51