Hi Spork, See this section of the sessions docs: https://docs.djangoproject.com/en/1.4/topics/http/sessions/#clearing-the-session-table
While it mentions file and db backends specifically, I assume the cache backend would work similarly. I.e., you need to periodically run a cleanup of session data. According to the docs, Django will automatically delete session data when the user logs out, but not otherwise (again, the server has no reliable way of knowing the user has closed the browser window) so if you want the data gone, you have to clean it up periodically. Taking a step back, I don't think this is a good approach to security. This data is still residing on your server for however short a time period. The issue should be less one of how long the data exist there, and more about how to keep it safe. How to do that depends somewhat on the nature of the data (e.g., SSNs or credit card numbers should reside only on a system not connected directly to the internet). _Nik On 1/21/2013 9:45 AM, testbackupa...@gmail.com wrote: > Nik, > > My concerns are about security. I have some sensitive data associated > with each user's session, and I'd like to make sure it is deleted when > the user logs out or their session times out or closes their browser > window. There's also some other clean up actions I'd like to do under > the same circumstances. > > I took a look at the session caching documents (thanks for the > pointer), and I think I would have to go for the cached_db option; if > I just used the plain vanilla cache option and the data got expired > out of the cache, it would create a terrible user experience. But I > would to understand the mechanism by which session data gets purged > from the database backend. Can I rely on it getting purged with each > log out/session time out/browser window closure? > > Again, thanks for the good feedback. > > Spork > -- > You received this message because you are subscribed to the Google > Groups "Django users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/django-users/-/SOs0zvR48PMJ. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
