1

I have a use case where I want the user to get logged out when they close their browser. And next time when the user visit the website, the user should be redirected to landing page / login page of my application.

From my side, I have implemented the following in django settings.py file:

SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_AGE = 40  
SESSION_SAVE_EVERY_REQUEST = True
LOGOUT_REDIRECT_URL = '/logout_user/'

But this not helping. Any idea how to achieve this scenario?

Ralf
  • 16,086
  • 4
  • 44
  • 68
nip_sham
  • 59
  • 8
  • you can set `SESSION_COOKIE_AGE ` for request, see this - https://stackoverflow.com/questions/15100400/django-remember-me-with-built-in-login-view-and-authentication-form – Pankaj Sharma Oct 22 '18 at 09:52
  • What do you mean by "But this not helping"? Can you explain what exactly is not working as you want it to? – Ralf Oct 22 '18 at 09:53
  • @Ralf Once I login to my application and close the browser. I wait for 40 seconds which the session age time after which I open the browser and instead of showing the login page ,my application shows home page with only static datas. But i want it go get redirected to login paage once the browser is opened again. So basically what I want is everytime a user opens my application in a browser they have to go through login. – nip_sham Oct 22 '18 at 09:58
  • What happens if you add `if not request.user.is_authenticated(): return redirect(settings.LOGIN_REDIRECT_URL)` at the top of your view? Does it redirect to login page then? You need to have set [`LOGIN_REDIRECT_URL`](https://docs.djangoproject.com/en/2.1/ref/settings/#login-redirect-url). – Ralf Oct 22 '18 at 10:05
  • @Ralf `TypeError: 'AnonymousUser' object is not iterable` this is what I get – nip_sham Oct 22 '18 at 10:15
  • That is a very strange error; that should not be raised from the code line I suggested. You will probably need to add a basic structure of your view code to get more help. – Ralf Oct 22 '18 at 10:17

1 Answers1

0

The setting SESSION_EXPIRE_AT_BROWSER_CLOSE suggests to the users browser that it should discard the cookie once the browser is closed (they are called "non-persistend cookies").

But this cannot be enforced from the server; for example, there are browser extensions that allow you to keep the cookies even though they non-persistent. This warning can also be found in the django session docs.

The only sure way I know is to set an expiration date for the session (like you are doing with the setting SESSION_COOKIE_AGE).

EDIT: this question suggests using a timestamp to check for session inactivity; maybe there are a few useful ideas for you.

Ralf
  • 16,086
  • 4
  • 44
  • 68
  • so even if I set `SESSION_COOKIE_AGE`, it doesn't redirect on next time opening the browser. It still shows the home page withut any data as data are user specific. – nip_sham Oct 22 '18 at 09:26
  • Does the home page view have the `login_required` decorator (or the `LoginRequiredMixin`) ? – Ralf Oct 22 '18 at 09:28
  • yes it has except of some of the data which are not user specific – nip_sham Oct 22 '18 at 09:31
  • Your view either has or hasn't the `login_required` decorator for the whole view, there is no middleground. Please add your view code to the question and explain what exactly is not working as you want it to. – Ralf Oct 22 '18 at 09:33
  • Sorry can't share the code as it is sensitive but I am using `@login_required` before my functions which needs authentication. – nip_sham Oct 22 '18 at 09:48
  • So, how are we supposed to help then? Random guesses? – Ralf Oct 22 '18 at 09:52