Monday, 20 November 2023

Django request.session && expiry

 https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/Sessions

Django uses a cookie containing a special session id to identify each browser and its associated session with the site. The actual session data is stored in the


Django session expiry:

default :

https://stackoverflow.com/questions/41614970/what-is-the-default-django-session-lifetime-and-how-to-change-it

The setting you are looking for is SESSION_COOKIE_AGE, the default value is 1209600 which is two weeks, in seconds.


To change it :

https://docs.djangoproject.com/en/4.2/topics/http/sessions/#:~:text=If%20value%20is%20an%20integer,session%20expire%20in%205%20minutes.


set_expiry(value)

Sets the expiration time for the session. You can pass a number of different values:

  • If value is an integer, the session will expire after that many seconds of inactivity. For example, calling request.session.set_expiry(300) would make the session expire in 5 minutes.
  • If value is a datetime or timedelta object, the session will expire at that specific date/time.
  • If value is 0, the user’s session cookie will expire when the user’s web browser is closed.
  • If value is None, the session reverts to using the global session expiry policy.

Reading a session is not considered activity for expiration purposes. Session expiration is computed from the last time the session was modified.




Django set expiry default behaviour 

https://stackoverflow.com/questions/1366146/django-session-expiry


As the author of those methods, I can see that the documentation isn't very clear regarding this. Your observations are correct: only requests which cause the session to be altered is considered "activity".

MEANING you have to hit this method :

request.session.set_expiry(300)
to consider active (renew another 5 min)
so set_expiry(300) is if you dont call this method in 5 min, you are expired
    

You can use the SESSION_SAVE_EVERY_REQUEST setting to get the behavior you're after (at the obvious cost of the session having to being saved every request).

Note : It will update the existing session record with latest expiry date.




Django removes session manually:

https://docs.djangoproject.com/en/4.2/topics/http/sessions/

flush()

Deletes the current session data from the session and deletes the session cookie. This is used if you want to ensure that the previous session data can’t be accessed again from the user’s browser (for example, the django.contrib.auth.logout() function calls it).

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)