Hi Florian, Then again, the default behaviour now is as you describe. That's why I would call it a security leak.
Unfortunately, it is not only my system, it is the system of any unaware Django programmer. Wim On Sep 11, 10:24 pm, Florian Apolloner <[email protected]> wrote: > On Sunday, September 11, 2011 8:52:03 PM UTC+2, Wim Feijen wrote: > > > 3. Because the user is still logged in, (maybe for two weeks, or for > > whatever expiration time the developer has set) > > Imo in that case the developer should write a middleware that logs the user > out on the next request. I see your problem, but imo your system needs a bit > of tweaking if you allow inactive users to browse your site till their > session expires (which with SAVE_EVERY_REQUEST + a high timeout) could as > well be never… -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
