0

Currently the Django session model doesn't have an user ID field:

class AbstractBaseSession(models.Model):
    session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
    session_data = models.TextField(_('session data'))
    expire_date = models.DateTimeField(_('expire date'), db_index=True)

This is impossible for us to implement "back-channel logout" because every service provider would have different session ids. To make this work, I will need to add an user identification field to the model, eg. username, so that the IdP can issue log out signal to all service providers to log the user out by using the username

class AbstractBaseSession(models.Model):
    session_key = models.CharField(_('session key'), max_length=40, primary_key=True)
    session_data = models.TextField(_('session data'))
    expire_date = models.DateTimeField(_('expire date'), db_index=True)
    username = models.CharField(...)

I am not 200% sure if this will have any security implications? Thought I'd post here to check with the experts.

James Lin
  • 25,028
  • 36
  • 133
  • 233
  • 1
    you would not do this ... all those keys are part of the data payload which is just an arbitrary key,value store ... try something like `request.session["username"]="test@email.com"` then print the get decoded stuff ... I would not recommend implementing your own session stuff ... but you could i guess – Joran Beasley Apr 04 '23 at 02:50
  • @JoranBeasley sorry I don't get what you said, the back-channel log out would not involve a request object. BTW I removed the `get_decoded()` part out of the question as it's unrelated – James Lin Apr 04 '23 at 02:52
  • its not unrelated it is very related ... all that stuff that was printed is encoded in the `session_data` ... so when the user logs in you simply add their username to the request.session ... then when you go to do your logout the decoded_data will contain whatever info you added to the request.session – Joran Beasley Apr 04 '23 at 02:56
  • 1
    @JoranBeasley I think you misunderstood my question. I want to implement 'back-channel' logout without using session id to identify an user session record in db, but use an user id to get the session records in db to delete them. – James Lin Apr 04 '23 at 02:59
  • ok... then i guess you would need to alter the table ... and anywhere that writes to the table ... still seems dicey ... – Joran Beasley Apr 04 '23 at 03:01
  • yeah hence asked the question here as I am not 100% sure if this is totally secured in the sense of cyber security – James Lin Apr 04 '23 at 03:01
  • just as secured as any other db table i imagine ... might violate some gdpr stuff as email counts as PII – Joran Beasley Apr 04 '23 at 03:04
  • So far I haven't found any implementation like this so this has me worried about there would be a reason for it. – James Lin Apr 04 '23 at 03:18
  • this seems simillar https://stackoverflow.com/questions/59617751/how-to-make-a-django-user-inactive-and-invalidate-all-their-sessions – Joran Beasley Apr 04 '23 at 03:24
  • in fact it looks like django recommends this practice http://www.matrix.umcs.lublin.pl/DOC/python-django-doc/html/topics/http/sessions.html#example – Joran Beasley Apr 04 '23 at 03:29
  • 1
    @JoranBeasley thanks, qsession looks like just what I am after – James Lin Apr 04 '23 at 03:38

0 Answers0