Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Terminate session after browser close or 15 minutes of inactivity #1584
FWIW, I think that cloud.gov helps us with this a bit--it doesn't necessarily solve this issue, but it helps with security. Basically, the UAA tokens we get from cloud.gov only last 15 minutes, and we auto-refresh them transparently, unless cloud.gov denies the refresh, in which case we have to forcibly log out the user. See 18F/cg-django-uaa#24 for more details.
In the case of this issue, though, I guess we further want to set Django's cookie settings to behave in this way.
Oh, I just realized that the title of this issue has an or and not an and!
Terminating session after browser close is definitely easy--we just use Django's
The "15 minutes of inactivity" one can be harder because we need to define exactly what "inactivity" means. By default, Django considers "activity" to mean any time the user's session object is changed--but this could end up resulting in Django perceiving the user simply exploring the site as "inactivity". Alternatively, one could set Django's
Anyways, this is all to say that if we only have to implement one of the solutions, I think terminating the session after browser close is by far the easiest.