TP wrote: > I recently ran into what I thought was counter-intuitive session > expiration behavior. See ticket http://code.djangoproject.com/ticket/8452 > for the details. > > I don't mean to dig up topics that have been long debated, but I also > wonder if these semantics make sense? > > If I log into a site and only happen to read from my session, my > session will log out in SESSION_COOKIE_AGE seconds (or whatever > set_expiry says). However, if I happen to do actions that cause writes > to my session then my session will expire in some hard-to-determine > point in the future. How to explain to a user when they will be logged > out -- X seconds after their last session write? I wrote the app and > I'm not even sure when the session is written to due to third party > libraries etc. > > Further, for security reasons it seems like it's a good policy for > Django to ship with the default behavior for every session to > automatically expire SESSION_COOKIE_AGE seconds after the session was > created no matter what. If the app wants to push out the expiration > time every time the user is active, they can call set_expiry > explicitly. But I guess that's just one person's opinion. > > Alternatively, for consistency, Django could update the expiry age > whenever the session is _read_ or written. Then the docs could simply > say the expiry age is updated whenever the session is used which is > very simple to understand: anytime someone comes back to the site > their session expiration time will renew. If they don't come back > within the expiration time, their session expires.
SESSION_SAVE_EVERY_REQUEST is by far the most sensible option, and the default behavior for every other web framework I've used. Interaction of any kind with the server should be taken as an indication that the session user wants the session to remain alive. At least it's documented, though ... regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
