I’m working on a website that requires us to log a user out after N minutes of inactivity. Are there any best practices for this using Django?
Try setting settings.SESSION_COOKIE_AGE to N * 60 seconds.
Take a look at the session middleware and its settings. Specifically these two:
Default: 1209600 (2 weeks, in seconds)
The age of session cookies, in
Whether to save the session data on
every request. If this is False
(default), then the session data will
only be saved if it has been modified
— that is, if any of its dictionary values have been assigned or deleted.
Setting a low
SESSION_COOKIE_AGE and turning
SESSION_SAVE_EVERY_REQUEST on should work to create “sliding” expiration.
Setting the session cookie age in the django session middleware just sets the expiry time in the set-cookie header passed back to the browser. It’s only browser compliance with the expiry time that enforces the “log out”.
Depending on your reasons for needing the idle log-out, you might not consider browser compliance with the expiry time good enough. In which case you’ll need to extend the session middleware to do so.
For example you might store an expiry time in your session engine which you update with requests. Depending on the nature of traffic to your site, you may wish to only write back to the session object once in X seconds to avoid excessive db writes.
On "settings.py", for session expiry time, set SESSION_COOKIE_AGE which is 1209600 seconds(2 weeks) by default and for inactive logout, set "True" to SESSION_SAVE_EVERY_REQUEST which is "False" by default as shown below:
# "settings.py" SESSION_COOKIE_AGE = 180 # 3 minutes. "1209600(2 weeks)" by default SESSION_SAVE_EVERY_REQUEST = True # "False" by default