有没有办法组合SESSION_EXPIRE_AT_BROWSER_CLOSE和SESSION_COOKIE_AGE的行为 [英] Is there a way to combine behavior of SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE

问题描述

出于安全考虑，我将 SESSION_EXPIRE_AT_BROWSER_CLOSE 设为

For security reasons I set SESSION_EXPIRE_AT_BROWSER_CLOSE to true.

但是，浏览器长度的Cookie（用户关闭他或她的浏览器后即将到期的Cookie）没有到期时间，那么 SESSION_COOKIE_AGE 没有任何效果（是的，我检查它）。但是我想设置一个注销/超时在不活动加上退出浏览关闭。

But, browser-length cookies (cookies that expire as soon as the user closes his or her browser) don't have a expire time, then SESSION_COOKIE_AGE has no effects (Yes, I check it). But I want to set a logout/timeout on inactivity plus to logout on browse closing.

我的问题是，在浏览器长度Cookie方案中实现不活动超时/注销的最佳方法是什么？

推荐答案

正如您所解释的，SESSION_EXPIRE_AT_BROWSER_CLOSE和SESSION_COOKIE_AGE不兼容。当您将一个到期日期设置为一个cookie时，该cookie不会成为浏览器长度的cookie。

As you explains, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are not compatible. When you set an expiration date to a cookie, this cookie becomes no browser-length cookie.

然后，为了达到您期望的行为，您应该设置SESSION_EXPIRE_AT_BROWSER_CLOSE为True，并手动终止超时超时

Then, in order to achieve your desired behavior, you should set SESSION_EXPIRE_AT_BROWSER_CLOSE as True and control expire timeout by hand.

通过手工超时超时控制的优雅方式是：

An elegant way to control by hand expire timeout is:

1. 创建一个新的自定义中间件控制超时。


2. 修改settings.py以启用自定义中间件（和会话）。

1. Create a new custom middleware that control timeout.
2. Modify settings.py to enable your custom middleware (and sessions).

超时自定义中间件可以如下所示：

class timeOutMiddleware(object):

    def process_request(self, request):
        if request.user.is_authenticated():
            if 'lastRequest' in request.session:            
                elapsedTime = datetime.datetime.now() - \
                              request.session['lastRequest']
                if elapsedTime.seconds > 15*60:
                    del request.session['lastRequest'] 
                    logout(request)

            request.session['lastRequest'] = datetime.datetime.now()
        else:
            if 'lastRequest' in request.session:
                del request.session['lastRequest'] 

        return None

记住启用会话，以存储 lastRequest 。

此解决方案已编写和测试是我，现在在我的网站上工作。此代码具有GNU许可证;）

This solution is wrote and tested be me and is now working in my site. This code has GNU license ;)

django 1.6上的新功能（...两年后...）

New on django 1.6 ( ... two years later ... )

如果您使用 PickleSerializer 。如果没有，或许简单的解决方案是将datetime转换为unix时间戳并返回<一>。

Datetime and timedelta values are only serializable if you are using the PickleSerializer. If not, perhaps easy solution is translate datetime to unix timestamp and back. Be free to post below this translation.

已编辑

django-session-security 应用程序提供了注销非法验证用户的机制。看看。

django-session-security app provides a mechanism to logout inactive authenticated users. Take a look.

这篇关于有没有办法组合SESSION_EXPIRE_AT_BROWSER_CLOSE和SESSION_COOKIE_AGE的行为的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！