New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terminate session after browser close or 15 minutes of inactivity #1584

Closed
jseppi opened this Issue Oct 2, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@jseppi
Contributor

jseppi commented Oct 2, 2017

No description provided.

@jseppi jseppi self-assigned this Oct 2, 2017

@toolness

This comment has been minimized.

Contributor

toolness commented Oct 2, 2017

FWIW, I think that cloud.gov helps us with this a bit--it doesn't necessarily solve this issue, but it helps with security. Basically, the UAA tokens we get from cloud.gov only last 15 minutes, and we auto-refresh them transparently, unless cloud.gov denies the refresh, in which case we have to forcibly log out the user. See 18F/cg-django-uaa#24 for more details.

In the case of this issue, though, I guess we further want to set Django's cookie settings to behave in this way.

@toolness

This comment has been minimized.

Contributor

toolness commented Oct 2, 2017

Oh, I just realized that the title of this issue has an or and not an and!

Terminating session after browser close is definitely easy--we just use Django's SESSION_EXPIRE_AT_BROWSER_CLOSE setting.

The "15 minutes of inactivity" one can be harder because we need to define exactly what "inactivity" means. By default, Django considers "activity" to mean any time the user's session object is changed--but this could end up resulting in Django perceiving the user simply exploring the site as "inactivity". Alternatively, one could set Django's SESSION_SAVE_EVERY_REQUEST setting, which takes the opposite approach by simply saving the session on every single HTTP request--but this could backfire if e.g. we have some Ajax code that constantly polls some API endpoint on the site, thereby making Django think the user is constantly active when in fact they are not.

Anyways, this is all to say that if we only have to implement one of the solutions, I think terminating the session after browser close is by far the easiest.

@jseppi

This comment has been minimized.

Contributor

jseppi commented Oct 2, 2017

Looks like they intended to say that both the session clear on browser close AND on 15-minutes-of-inactivity need to happen.

jseppi pushed a commit that referenced this issue Oct 3, 2017

James Seppi
@jseppi

This comment has been minimized.

Contributor

jseppi commented Oct 3, 2017

Given that we don't have a good way of detecting idle time as @toolness pointed out, for now we'll just go with expiring the session cookie upon browser close via the SESSION_EXPIRE_AT_BROWSER_CLOSE setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment