[bug 670024] Make login sessions expire only after a month.

* Give the has-a-session-cookie cookie the same expiry as the session cookie itself.
* Start using the LocalizingClient in SessionTests so we don't have to specify locales all the time.

apps/users/tests/test_views.py

@@ -299,6 +299,8 @@ def test_replace_missing_avatar(self):
 
 
 class SessionTests(TestCase):
+    client_class = LocalizingClient
+
     def setUp(self):
         self.u = user()
         self.u.save()
@@ -308,7 +310,7 @@ def setUp(self):
     @mock.patch.object(settings._wrapped, 'DEBUG', True)
     def test_login_sets_extra_cookie(self):
         """On login, set the SESSION_EXISTS_COOKIE."""
-        url = reverse('users.login', locale='en-US')
+        url = reverse('users.login')
         res = self.client.post(url, {'username': self.u.username,
                                      'password': 'testpass'})
         assert settings.SESSION_EXISTS_COOKIE in res.cookies
@@ -318,8 +320,32 @@ def test_login_sets_extra_cookie(self):
     @mock.patch.object(settings._wrapped, 'DEBUG', True)
     def test_logout_deletes_cookie(self):
         """On logout, delete the SESSION_EXISTS_COOKIE."""
-        url = reverse('users.logout', locale='en-US')
+        url = reverse('users.logout')
         res = self.client.get(url)
         assert settings.SESSION_EXISTS_COOKIE in res.cookies
         c = res.cookies[settings.SESSION_EXISTS_COOKIE]
         assert '1970' in c['expires']
+
+    @mock.patch.object(settings._wrapped, 'DEBUG', True, create=True)
+    @mock.patch.object(settings._wrapped, 'SESSION_EXPIRE_AT_BROWSER_CLOSE',
+                       True, create=True)
+    def test_expire_at_browser_close(self):
+        """If SESSION_EXPIRE_AT_BROWSER_CLOSE, do expire then."""
+        url = reverse('users.login')
+        res = self.client.post(url, {'username': self.u.username,
+                                     'password': 'testpass'})
+        c = res.cookies[settings.SESSION_EXISTS_COOKIE]
+        eq_('', c['max-age'])
+
+    @mock.patch.object(settings._wrapped, 'DEBUG', True, create=True)
+    @mock.patch.object(settings._wrapped, 'SESSION_EXPIRE_AT_BROWSER_CLOSE',
+                       False, create=True)
+    @mock.patch.object(settings._wrapped, 'SESSION_COOKIE_AGE', 123,
+                       create=True)
+    def test_expire_in_a_long_time(self):
+        """If not SESSION_EXPIRE_AT_BROWSER_CLOSE, set an expiry date."""
+        url = reverse('users.login')
+        res = self.client.post(url, {'username': self.u.username,
+                                     'password': 'testpass'})
+        c = res.cookies[settings.SESSION_EXISTS_COOKIE]
+        eq_(123, c['max-age'])

apps/users/views.py

@@ -39,7 +39,12 @@ def login(request):
 
     if request.user.is_authenticated():
         res = HttpResponseRedirect(next_url)
-        res.set_cookie(settings.SESSION_EXISTS_COOKIE, '1', secure=False)
+        max_age = (None if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE
+                        else settings.SESSION_COOKIE_AGE)
+        res.set_cookie(settings.SESSION_EXISTS_COOKIE,
+                       '1',
+                       secure=False,
+                       max_age=max_age)
         return res
 
     return jingo.render(request, 'users/login.html',

settings.py

@@ -499,9 +499,10 @@ def JINJA_CONFIG():
 
 #
 # Sessions
+SESSION_COOKIE_AGE = 4 * 7 * 24 * 60 * 60  # 4 weeks
 SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_HTTPONLY = True
-SESSION_EXPIRE_AT_BROWSER_CLOSE = True
+SESSION_EXPIRE_AT_BROWSER_CLOSE = False
 SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 SESSION_EXISTS_COOKIE = 'sumo_session'