Database session deletion

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Database session deletion

George-Cristian Bîrzan
The documentation explicitly mentions that expired sessions aren't automatically deleted from the database, except when the user manually logs out. [1]

That, however, isn't the case. Firstly, when trying to access a user whose password was changed, the session is deleted from the database. [2] This, to me, seems the correct behaviour, and I think there should be a bug filed against the docs.

There's also a second case where this happens. [3] This one is a bit harder to follow. The way I read it, if you're already logged in and log in again, OR if the password is different (this is the part I have trouble understanding, I guess this can only happen when you call login for the same user, but don't verify the password). The latter part was added in https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94da66694cf63

The first part, logging in as another user should act like a logout/login, but, the docs need a mention of it. The second, I don't really understand, so not sure whether what the change to the docs should say.



--
George-Cristian Bîrzan

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN%2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Database session deletion

Adam Johnson-2
Hi George-Cristian,

I agree, the 'clearing the session store' paragraph could be more explicit about what conditions sessions do get deleted. I encourage you to check https://docs.djangoproject.com/en/dev/internals/contributing/ , open a ticket, and make a PR with some updated wording :)

I also think the two cases you're looking at are part of the same logic to delete sessions for users whose passwords have changed, and these two code paths are implementing the same feature at different points. The first is during user-fetching (normally from request.user added by AuthenticationMiddleware), the second when login() is called on a non-logged in session (that may have been logged in previously, possibly).

Looking forward to your PR,

Adam

On 3 January 2018 at 11:56, George-Cristian Bîrzan <[hidden email]> wrote:
The documentation explicitly mentions that expired sessions aren't automatically deleted from the database, except when the user manually logs out. [1]

That, however, isn't the case. Firstly, when trying to access a user whose password was changed, the session is deleted from the database. [2] This, to me, seems the correct behaviour, and I think there should be a bug filed against the docs.

There's also a second case where this happens. [3] This one is a bit harder to follow. The way I read it, if you're already logged in and log in again, OR if the password is different (this is the part I have trouble understanding, I guess this can only happen when you call login for the same user, but don't verify the password). The latter part was added in https://github.com/django/django/commit/fd23c06023a0585ee743c0752dc94da66694cf63

The first part, logging in as another user should act like a logout/login, but, the docs need a mention of it. The second, I don't really understand, so not sure whether what the change to the docs should say.



--
George-Cristian Bîrzan

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMxNYabP8ayBao6FNeGMGZGAvLN%2BSQt1Cd-gcco6V6xM1k_RNQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.



--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM26Oi_2gTE44b5wYnX3kbZAJQJwOxqkHi1NDWDZP6MaCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.