由于 Django 中的不活动,如何使会话过期? [英] How to expire session due to inactivity in Django?
问题描述
我们的 Django 应用程序具有以下会话管理要求.
Our Django application has the following session management requirements.
- 会话在用户关闭浏览器时过期.
- 会话在一段时间不活动后到期.
- 检测会话何时因不活动而过期并向用户显示适当的消息.
- 在不活动期结束前几分钟警告用户即将到期的会话.与警告一起,为用户提供延长会话的选项.
- 如果用户在应用内处理不涉及向服务器发送请求的长时间业务活动,则会话不得超时.
在阅读文档、Django 代码和一些与此相关的博客文章后,我想出了以下实现方法.
After reading the documentation, Django code and some blog posts related to this, I have come up with the following implementation approach.
要求 1
通过将 SESSION_EXPIRE_AT_BROWSER_CLOSE 设置为 True,可以轻松实现此要求.
Requirement 1
This requirement is easily implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
要求 2
我看到了一些使用 SESSION_COOKIE_AGE 设置会话到期时间的建议.但是这种方法存在以下问题.
Requirement 2
I have seen a few recommendations to use SESSION_COOKIE_AGE to set the session expiry period. But this method has the following problems.
会话总是在 SESSION_COOKIE_AGE 结束时过期,即使用户正在积极使用应用程序.(这可以通过使用自定义中间件在每个请求上将会话过期设置为 SESSION_COOKIE_AGE 或通过将 SESSION_SAVE_EVERY_REQUEST 设置为 true 来保存每个请求上的会话来防止.但由于使用了 SESSION_COOKIE_AGE,下一个问题是不可避免的.)
The session always expires at the end of the SESSION_COOKIE_AGE even if the user is actively using the application. (This can be prevented by setting the session expiry to SESSION_COOKIE_AGE on every request using a custom middleware or by saving the session on every request by setting SESSION_SAVE_EVERY_REQUEST to true. But the next problem is unavoidable due to the use of SESSION_COOKIE_AGE.)
由于 cookie 的工作方式,SESSION_EXPIRE_AT_BROWSER_CLOSE 和 SESSION_COOKIE_AGE 是互斥的,即 cookie 要么在浏览器关闭时过期,要么在指定的过期时间过期.如果使用了 SESSION_COOKIE_AGE 并且用户在 cookie 到期之前关闭了浏览器,则 cookie 将被保留,重新打开浏览器将允许用户(或其他任何人)进入系统而无需重新进行身份验证.
Due to the way cookies work, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are mutually exclusive i.e. the cookie either expires on browser close or at the specified expiry time. If SESSION_COOKIE_AGE is used and the user closes the browser before the cookie expires, the cookie is retained and reopening the browser will allow the user (or anyone else) into the system without being re-authenticated.
Django 仅依靠存在的 cookie 来确定会话是否处于活动状态.它不会检查与会话一起存储的会话到期日期.
Django relies only on the cookie being present to determine if the session is active. It doesn't check the session expiry date stored with the session.
可以使用以下方法来实现此要求并解决上述问题.
The following method could be used to implemented this requirement and to workaround the problems mentioned above.
- 请勿设置 SESSION_COOKIE_AGE.
- 将每个请求的会话到期日期设置为当前时间 + 非活动期".
- 覆盖 SessionMiddleware 中的 process_request 并检查会话是否过期.如果会话已过期,则丢弃该会话.
要求 3
当我们检测到会话已经过期时(在上面的自定义 SessionMiddleware 中),在请求上设置一个属性来指示会话过期.此属性可用于向用户显示适当的消息.
Requirement 3
When we detect that the session has expired (in the custom SessionMiddleware above), set an attribute on the request to indicate session expiry. This attribute can be used to display an appropriate message to the user.
要求 4
使用 JavaScript 检测用户不活动、提供警告以及延长会话的选项.如果用户希望延长,请向服务器发送保持活动脉冲以延长会话.
Requirement 4
Use JavaScript to detect user inactivity, provide the warning and also an option to extend the session. If the user wishes to extend, send a keep alive pulse to the server to extend the session.
要求 5
使用 JavaScript 检测用户活动(在长期业务运营期间)并向服务器发送保持活动脉冲以防止会话过期.
Requirement 5
Use JavaScript to detect user activity (during the long business operation) and send keep alive pulses to the server to prevent session from expiring.
上面的实现方法看起来很复杂,我想知道是否有更简单的方法(尤其是对于需求 2).
The above implementation approach seem very elaborate and I was wondering if there might a simpler method (especially for Requirement 2).
任何见解将不胜感激.
推荐答案
我刚开始使用 Django.
I am just pretty new to use Django.
如果登录的用户关闭浏览器或空闲(不活动超时)一段时间,我想让会话过期.当我用谷歌搜索它时,首先出现了这个 SOF 问题.多亏了很好的回答,我查找了资源以了解中间件在 Django 的请求/响应周期中是如何工作的.很有帮助.
I wanted to make session expire if logged user close browser or are in idle(inactivity timeout) for some amount of time. When I googled it to figure out, this SOF question came up first. Thanks to nice answer, I looked up resources to understand how middlewares works during request/response cycle in Django. It was very helpful.
我正要按照此处的最佳答案将自定义中间件应用到我的代码中.但我还是有点怀疑,因为这里的最佳答案是在 2011 年编辑的.我花了更多时间从最近的搜索结果中搜索了一下,并想出了简单的方法.
I was about to apply custom middleware into my code following top answer in here. But I was still little bit suspicious because best answer in here was edited in 2011. I took more time to search little bit from recent search result and came up with simple way.
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_AGE = 10 # set just 10 seconds to test
SESSION_SAVE_EVERY_REQUEST = True
我没有检查其他浏览器,而是 chrome.1. 即使设置了 SESSION_COOKIE_AGE,当我关闭浏览器时会话也会过期.2.只有当我空闲超过10秒时,A session才会过期.感谢 SESSION_SAVE_EVERY_REQUEST,每当您发生新请求时,它都会保存会话并更新超时时间
I didn't check other browsers but chrome. 1. A session expired when I closed a browser even if SESSION_COOKIE_AGE set. 2. Only when I was idle for more than 10 seconds, A session expired. Thanks to SESSION_SAVE_EVERY_REQUEST, whenever you occur new request, It saves the session and updates timeout to expire
要更改此默认行为,请将 SESSION_SAVE_EVERY_REQUEST 设置设为 True.设置为 True 时,Django 将在每次请求时将会话保存到数据库中.
To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. When set to True, Django will save the session to the database on every single request.
请注意,会话 cookie 仅在创建或修改会话时发送.如果 SESSION_SAVE_EVERY_REQUEST 为 True,则每次请求都会发送会话 cookie.
Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.
同样,每次发送会话 cookie 时都会更新会话 cookie 的过期部分.
Similarly, the expires part of a session cookie is updated each time the session cookie is sent.
我只是留下答案,这样一些像我这样的 Django 新手就不会像我那样花太多时间去寻找解决方案.
I just leave answer so that some people who is a kind of new in Django like me don't spend much time to find out solution as a way I did.
这篇关于由于 Django 中的不活动,如何使会话过期?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
