From 6a9e46ce1c2f9328b45049210f56c5cc31b256f0 Mon Sep 17 00:00:00 2001 From: Erik Rose Date: Tue, 12 Jul 2011 17:49:09 -0700 Subject: [PATCH] [bug 670024] Make login sessions expire only after a month. * Give the has-a-session-cookie cookie the same expiry as the session cookie itself. * Start using the LocalizingClient in SessionTests so we don't have to specify locales all the time. --- apps/users/tests/test_views.py | 30 ++++++++++++++++++++++++++++-- apps/users/views.py | 7 ++++++- settings.py | 3 ++- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/apps/users/tests/test_views.py b/apps/users/tests/test_views.py index 2dfb01b2eb2..e9ea93e529f 100644 --- a/apps/users/tests/test_views.py +++ b/apps/users/tests/test_views.py @@ -299,6 +299,8 @@ def test_replace_missing_avatar(self): class SessionTests(TestCase): + client_class = LocalizingClient + def setUp(self): self.u = user() self.u.save() @@ -308,7 +310,7 @@ def setUp(self): @mock.patch.object(settings._wrapped, 'DEBUG', True) def test_login_sets_extra_cookie(self): """On login, set the SESSION_EXISTS_COOKIE.""" - url = reverse('users.login', locale='en-US') + url = reverse('users.login') res = self.client.post(url, {'username': self.u.username, 'password': 'testpass'}) assert settings.SESSION_EXISTS_COOKIE in res.cookies @@ -318,8 +320,32 @@ def test_login_sets_extra_cookie(self): @mock.patch.object(settings._wrapped, 'DEBUG', True) def test_logout_deletes_cookie(self): """On logout, delete the SESSION_EXISTS_COOKIE.""" - url = reverse('users.logout', locale='en-US') + url = reverse('users.logout') res = self.client.get(url) assert settings.SESSION_EXISTS_COOKIE in res.cookies c = res.cookies[settings.SESSION_EXISTS_COOKIE] assert '1970' in c['expires'] + + @mock.patch.object(settings._wrapped, 'DEBUG', True, create=True) + @mock.patch.object(settings._wrapped, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', + True, create=True) + def test_expire_at_browser_close(self): + """If SESSION_EXPIRE_AT_BROWSER_CLOSE, do expire then.""" + url = reverse('users.login') + res = self.client.post(url, {'username': self.u.username, + 'password': 'testpass'}) + c = res.cookies[settings.SESSION_EXISTS_COOKIE] + eq_('', c['max-age']) + + @mock.patch.object(settings._wrapped, 'DEBUG', True, create=True) + @mock.patch.object(settings._wrapped, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', + False, create=True) + @mock.patch.object(settings._wrapped, 'SESSION_COOKIE_AGE', 123, + create=True) + def test_expire_in_a_long_time(self): + """If not SESSION_EXPIRE_AT_BROWSER_CLOSE, set an expiry date.""" + url = reverse('users.login') + res = self.client.post(url, {'username': self.u.username, + 'password': 'testpass'}) + c = res.cookies[settings.SESSION_EXISTS_COOKIE] + eq_(123, c['max-age']) diff --git a/apps/users/views.py b/apps/users/views.py index 231f951836e..b0e82b32762 100644 --- a/apps/users/views.py +++ b/apps/users/views.py @@ -39,7 +39,12 @@ def login(request): if request.user.is_authenticated(): res = HttpResponseRedirect(next_url) - res.set_cookie(settings.SESSION_EXISTS_COOKIE, '1', secure=False) + max_age = (None if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE + else settings.SESSION_COOKIE_AGE) + res.set_cookie(settings.SESSION_EXISTS_COOKIE, + '1', + secure=False, + max_age=max_age) return res return jingo.render(request, 'users/login.html', diff --git a/settings.py b/settings.py index 9000d57c386..ce1542cb83d 100644 --- a/settings.py +++ b/settings.py @@ -499,9 +499,10 @@ def JINJA_CONFIG(): # # Sessions +SESSION_COOKIE_AGE = 4 * 7 * 24 * 60 * 60 # 4 weeks SESSION_COOKIE_SECURE = True SESSION_COOKIE_HTTPONLY = True -SESSION_EXPIRE_AT_BROWSER_CLOSE = True +SESSION_EXPIRE_AT_BROWSER_CLOSE = False SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db' SESSION_EXISTS_COOKIE = 'sumo_session'