Question

I want to log users out after some period of inactivity. This question (Logging users out of a Django site after N minutes of inactivity) has a reasonable looking answer.

But I'd like to understand what distinguishes request.session.set_expiry from SESSION_COOKIE_AGE. The former seems to log the user out after a fixed period regardless of activity. Isn't this also what SESSION_COOKIE_AGE does if SESSION_SAVE_EVERY_REQUEST is False?

Was it helpful?

Solution

From what I can tell, request.session.set_expiry simply overrides the SESSION_COOKIE_AGE setting for that specific session. With SESSION_SAVE_EVERY_REQUEST = False (the default), there would be no functional difference.

In both cases, session activity is based off of when the session was last modified (unless SESSION_SAVE_EVERY_REQUEST is True, in which case it is saved on every request, so it's effectively modified on every request)

One example is that you may want users in a certain section of your application to have a longer session expiration, so you could use request.session.set_expiry with a custom value in the views related to that application, and then reset it with request.session.set_expiry(SESSION_COOKIE_AGE) when they leave that particular section.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top