[Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

Django
#30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and
SESSION_COOKIE_AGE both being set
-------------------------------------------------+------------------------
               Reporter:  Adam (Chainz) Johnson  |          Owner:  nobody
                   Type:  New feature            |         Status:  new
              Component:  contrib.sessions       |        Version:  master
               Severity:  Normal                 |       Keywords:
           Triage Stage:  Unreviewed             |      Has patch:  0
    Needs documentation:  0                      |    Needs tests:  0
Patch needs improvement:  0                      |  Easy pickings:  1
                  UI/UX:  0                      |
-------------------------------------------------+------------------------
 The two settings `SESSION_EXPIRE_AT_BROWSER_CLOSE` and
 `SESSION_COOKIE_AGE` are mutually exclusive. If a user has set both of
 them, they should be warned with a system check.

--
Ticket URL: <https://code.djangoproject.com/ticket/30714>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/053.dfa1274816930ab95d0a9ce7401fc24b%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

Django
#30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and
SESSION_COOKIE_AGE both being set
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  nobody
  Johnson                            |
         Type:  New feature          |                   Status:  closed
    Component:  contrib.sessions     |                  Version:  master
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 I'm not sure about this.

 `SESSION_COOKIE_AGE` defaults to two weeks. (OK, one thinks). I don't
 touch that. I simply enable `SESSION_EXPIRE_AT_BROWSER_CLOSE` and all of a
 sudden I get a warning?

 That seems less than ideal.

 Either we need to rationalize these settings somehow. (Maybe
 `SESSION_COOKIE_AGE == 0` entailing `SESSION_EXPIRE_AT_BROWSER_CLOSE`?) Or
 accept that whilst related they're not strictly interdependent.

 Happy to think about it, but a decision is needed first no? Going to say
 `wontfix` plus possible discussion on DevelopersMailingList for that
 reason. Happy to reopen later if we can come up with something.

--
Ticket URL: <https://code.djangoproject.com/ticket/30714#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.650c068baf0fb1fa9331324f344e211b%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

Django
In reply to this post by Django
#30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and
SESSION_COOKIE_AGE both being set
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  nobody
  Johnson                            |
         Type:  New feature          |                   Status:  closed
    Component:  contrib.sessions     |                  Version:  master
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

 The check can use `settings.is_overridden` to check that the user has set
 it, rather than it being the default coming from the global settings file
 :)

 I posted this ticket because it happened to me, found a project that had
 both configured and it wasn't clear which was intended by the original
 developer.

--
Ticket URL: <https://code.djangoproject.com/ticket/30714#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.a8ad9b7611b466d60db6a2bd2e9923c8%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

Django
In reply to this post by Django
#30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and
SESSION_COOKIE_AGE both being set
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  nobody
  Johnson                            |
         Type:  New feature          |                   Status:  closed
    Component:  contrib.sessions     |                  Version:  master
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Carlton Gibson):

 Yeah... still not convinced they're contraries.
 `SESSION_EXPIRE_AT_BROWSER_CLOSE` tumps whatever value you have for
 `SESSION_COOKIE_AGE`, so if you set, you meant that. I'm not at all
 convinced we need a system check here.

--
Ticket URL: <https://code.djangoproject.com/ticket/30714#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.ba1df380b4af8b6759f52681252ff29f%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

Django
In reply to this post by Django
#30714: Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and
SESSION_COOKIE_AGE both being set
-------------------------------------+-------------------------------------
     Reporter:  Adam (Chainz)        |                    Owner:  nobody
  Johnson                            |
         Type:  New feature          |                   Status:  closed
    Component:  contrib.sessions     |                  Version:  master
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

 I think the confusion was that the behaviours don't combine. You can't
 have a session that is maximum 30 minutes but also disappears if the
 browser is closed. The docs could be clearer but I think a check is the
 easiest way to prevent such misconfiguration,

--
Ticket URL: <https://code.djangoproject.com/ticket/30714#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.9eff3d241cabea4ff368d1450befec7b%40djangoproject.com.