On Sat, Apr 6, 2013 at 12:24 AM, John DeRosa <[email protected]> wrote: > I have a Profile table that's 1:1 with the User table. Each Profile row has > an account_expiration field. > > I want to invalidate users when their accounts expire. By "invalidate", I > mean: They can't log in, and they can't use the system any more. > > The closer I look, the more complicated it seems. > > Adding an expiration date check to our authentication backend is the easy > part. The hard part is what to do about users who are currently logged in? > They have Session objects in the database, and the session cache. (We use > django.contrib.sessions.backends.cached_db.) I could make a periodic task > that deletes the session objects of expired accounts, but it would also have > to find the expired objects in the cache. This starts to feel unwieldy and > fragile. > > I could crank down SESSION_COOKIE_AGE to one hour, but that would be ugly. > > I'm wondering if I'm over-thinking this. Has anyone implemented account > expiration in a way that deals with users already logged in? >
I defined a model SessionAudit, which has a foreign key to user, and fields for session id, ip address, user agent, and created and modified timestamps. I've then added a piece of middleware, which ensures that each authenticated user also has a corresponding SessionAudit instance. I've added a post_delete signal to Session objects, so that when a Session is deleted, any corresponding SessionAudit objects are also removed. Finally, I've added a view to our users page, allowing an admin to list and examine details about a users session, and allow them to destroy/revoke a users session. This isn't in django's admin interface, it is in our own custom interface, but I would have thought this could be similarly modelled in Django's admin. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
