[Django] #32751: Add link from Session object to User object

Mon, 17 May 2021 01:49:57 -0700 

#32751: Add link from Session object to User object
--------------------------------------------+------------------------
               Reporter:  David             |          Owner:  nobody
                   Type:  Uncategorized     |         Status:  new
              Component:  contrib.sessions  |        Version:  4.0
               Severity:  Normal            |       Keywords:
           Triage Stage:  Unreviewed        |      Has patch:  0
    Needs documentation:  0                 |    Needs tests:  0
Patch needs improvement:  0                 |  Easy pickings:  1
                  UI/UX:  0                 |
--------------------------------------------+------------------------
 When designing web apps, a common pattern is presenting users with a list
 of existing sessions (and the subsequent ability to end any or all of
 their existing open sessions). This is useful for a number of security
 reasons, and allows users to make sure there are no open sessions they
 don't recognize.

 However, currently Django has no direct link from a `Session` to  an
 authenticated `User`. There are multiple projects (`django-user-sessions`
 and `django-qsessions`) that exist largely to add this functionality, and
 a series of blog and Stackoverflow threads advocating various other
 solutions including the use of a secondary `UserSession` model with
 `ForeignKey` fields linking to the current session and current user. This
 method is the least disruptive to stock Django, although not perfect
 either since the session isn't always saved by the time the `logged_in`
 signal fires.

 Adding a `user` field to the existing `Session` model would add this
 significant functionality and remove the need for external packages and
 user workarounds. Systems that wanted to track additional information
 about sessions could still override and extend the model, but for many
 users a simple link from sessions to users would likely be sufficient. An
 additional field in the Session would would maintain backward
 compatibility as sessions could be updated to save the field as they were
 accessed again, and/or developers could be advised to clear existing
 sessions if they want to use this functionality from the start.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32751>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/049.0189af6fbb86e2bc95423af6a47cc56a%40djangoproject.com.

Reply via email to