StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow do I disable automatic session expiry update in Django?
primarykey
Id
15767795
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2013-04-02T15:16:02.053
FavoriteCount
0
LastActivityDate
2013-04-02T15:16:02.053
LastEditDate
2017-05-23T12:03:20.860
LastEditorUserId
-1
OwnerUserId
1254292
ParentId
0
PostTypeId
1
Score
2
ViewCount
457
LastEditorDisplayName
text
Body
I'm developing an application in Django with some specific security requirements. One of them is to disable the default behaviour to automatically extend the expiry of sessions on activity. Yes, I want to sessions to expire unless explicitly renewed (e.g. re-login, renew token, etc. - not relevant right now). How is this improving security? Well, a malicious user taking control over the PC of the victim will then only have access to the application with the victim authenticated for only a limited time. Unfortunately, using <a href="https://docs.djangoproject.com/en/1.5/topics/http/sessions/" rel="nofollow noreferrer"><code>django.contrib.sessions</code></a>, this seems not configurable as the modification time of the session is being used thoroughly and in the very base of the backends (<code>backends/base.py</code>) for the server-side storage as well as in the middleware component (<code>middleware.py</code>) for the HTTP cookie. Also, the expiry is only accessible in the relative form to the modification time internally (<code>SessionStore._session_expiry</code>) as only the session data is being loaded into the session object. So, unless we ask the model directly (<code>Session.objects.get(pk=s.session_key).expire_date</code> - ugh, ugly), we don't know what the expire date is. How do I implement this properly? Is this possible without reimplementing the methods <code>get_expiry_*</code> and the <code>process_response()</code> middleware function? I'd rather avoid that as I think it might break a later time in case Django gets updated. Trying that out by setting a custom session variable to keep track of the expiry in my own terms (like in <a href="https://stackoverflow.com/a/3025372/1254292">this answer</a>) seems not only redundant, but it also confuses other apps/code asking <code>SessionStore.get_expiry_age()</code> while my middleware would enforce a different expiry. Therefore, I'm considering this approach to be too low in quality for my purposes. Am I right in my assumptions above? Should I request this as a new feature and patch it myself in the meantime?
Tags
<django><django-sessions>
Title
How do I disable automatic session expiry update in Django?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USgertvdijk
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow do I disable automatic session expiry update in Django?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.