Hi George-Cristian, I agree, the 'clearing the session store' paragraph could be more explicit about what conditions sessions do get deleted. I encourage you to check https://docs.djangoproject.com/en/dev/internals/contributing/ , open a ticket, and make a PR with some updated wording :)
I also think the two cases you're looking at are part of the same logic to delete sessions for users whose passwords have changed, and these two code paths are implementing the same feature at different points. The first is during user-fetching (normally from request.user added by AuthenticationMiddleware), the second when login() is called on a non-logged in session (that may have been logged in previously, possibly). Looking forward to your PR, Adam On 3 January 2018 at 11:56, George-Cristian Bîrzan <[email protected]> wrote: > The documentation explicitly mentions that expired sessions aren't > automatically deleted from the database, except when the user manually logs > out. [1] > > That, however, isn't the case. Firstly, when trying to access a user whose > password was changed, the session is deleted from the database. [2] This, > to me, seems the correct behaviour, and I think there should be a bug filed > against the docs. > > There's also a second case where this happens. [3] This one is a bit > harder to follow. The way I read it, if you're already logged in and log in > again, OR if the password is different (this is the part I have trouble > understanding, I guess this can only happen when you call login for the > same user, but don't verify the password). The latter part was added in > https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94d > a66694cf63 . > > The first part, logging in as another user should act like a logout/login, > but, the docs need a mention of it. The second, I don't really understand, > so not sure whether what the change to the docs should say. > > > [1] - https://docs.djangoproject.com/en/2.0/topics/http/ > sessions/#clearing-the-session-store > [2] - https://github.com/django/django/blob/master/django/ > contrib/auth/__init__.py#L194 > [3] - https://github.com/django/django/blob/master/django/ > contrib/auth/__init__.py#L99 > > -- > George-Cristian Bîrzan > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN% > 2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN%2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM26Oi_2gTE44b5wYnX3kbZAJQJwOxqkHi1NDWDZP6MaCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
