I was using SessionStore for user login, with the default db session engine (mysql). When user calls login API, I would create a SessionStore and save (which the session would be expired in 10 seconds):
Which the expiry - now increases suddenly. While SessionStore tells me the expired token still exists (session.exists(session_key = myExpiredToken) returns True), SessionStore seems return a new SessionStore which has no session_key yet instead of returning the old expired session. Is that true?
I was expecting if I try to query the expired session, I would still have the session with data the same as when it was not expired.
Is it the designed behaviour (ie : returns a new SessionStore if I query an expired session)?
My current conjecture would be that yes, you are creating a new session.
I would need to see the more complete example of what you’re doing to be able to explain exactly what you’re seeing. But in the general case, you cannot retrieve data from an expired session.
To explore the properties of session, just created 3 API (2 actually , an API have get and post versions) :
from django.http import HttpResponse
from django.http import JsonResponse
import random
from importlib import import_module
from django.conf import settings
SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
def login(request):
session = SessionStore()
session["third_party_token"] = "abc"
session.set_expiry(10)
session.create()
session.save()
return JsonResponse({"msg":session.session_key})
def play_get(request):
return play( request.GET.get('token') )
def play_post(request):
return play( request.POST.get('token') )
def play(token):
try:
session = SessionStore()
if not session.exists(session_key = token):
raise Exception("invalid token")
session = SessionStore(session_key = token)
if session == None:
return HttpResponse("token invalid")
if session.session_key == None:
return HttpResponse("token expired")
return JsonResponse({session.session_key:str(session.is_empty()) + " --- " + str(random.randint(1,10000))})
except Exception as e:
return JsonResponse({"error":1,"msg":str(e)})
What I try to do:
call http://localhost:8000/testapp/login/ to get a new token that would expire after 10 seconds (eg: return {“msg”: “seqzwxk7vhe9yf684lpx1vpn4c1wyyh6})
Pass the token to play API (eg: http://localhost:8000/testapp/play_get/?token=seqzwxk7vhe9yf684lpx1vpn4c1wyyh6 ) to check if the token expires (or pass my validations)
I found if the token expires (after 10 seconds), the session = SessionStore(session_key = token) seems don’t always return a new session (I opened a new project to test it before, session.session_key == None is true for a while, and restart the computer then start the server again, session.session_key == None becomes false suddenly even I don’t modify the code… the output is : {“seqzwxk7vhe9yf684lpx1vpn4c1wyyh6”: “False — 6687”} , which indicates the code does raise exceptions due to session.session_key == None)
Also I found even though the session expired, session.is_empty() still returns False.
It seems the best way to check if the session non-exists or is expired is to use len(session.keys()) == 0 :
This is what I was warning about earlier. You don’t do this in a view.
The session for a request is retrieved from the request object. There is no need for you to try and “manage” the session storage for a user making requests.
Hi, I know there is the normal way to access token, but currently I’m developing API based server (which users don’t access the server by browsers directly)…
Or you mean I should use syntax session[“name“] = “something“ at login API, and then keep session = SessionStore(session_key = token) at other API that requires login to go?
Hi, my server is a game API server, and is suppose to be connected by some third party frontend that would try to get token from my server to login , the following is the sample client side code:
//third_party_frontend.html/?uid=abcdefg
let uid="";
if(window.location.search.length>0){
for(const data of window.location.search.substring(1).split("&")){
const param=data.split("=");
if(param[0]=="uid"){
uid=param[1];
}
}
}
xhr.onreadystatechange = (function(){
if (xhr.readyState === 4) {
//get token from my server , eg : MyGlobalData.token = responseJSON.result.token
}
}).bind(this);
xhr.open("POST",(myserver)/login, true); //call login API at my server
xhr.setRequestHeader("Content-type", "application/json;charset=UTF-8");
xhr.send("{'uid':" + uid + "}");
Then other API at my server needs the token to access (eg: play API, that would draw some prizes and tell the draw result to the client), so the frontend would do something like that:
xhr.onreadystatechange = (function(){
if (xhr.readyState === 4) {
//get the play result
}
}).bind(this);
xhr.open("POST",(myserver)/play, true); //call play API at my server
xhr.setRequestHeader("Content-type", "application/json;charset=UTF-8");
xhr.send("{'token':" + MyGlobalData.token + "}");
As the client doesn’t visit (myserver)/login directly, so I thought I can’t use request.session directly and hence trying to create session manually in login API (session = SessionStore()) . Is it the valid case to create session manually? Or I still need to use syntax session[“something“] = abc to create the session at login instead of creating session manually using syntax session = SessionStore()?