Session management settings

Using Django Getting Started
1

Base on Django documentation, I added project settings below:

SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_AGE = 180
SESSION_SAVE_EVERY_REQUEST = True

After I login, there was a session entry created on database django_session table.
But after I close the browser window, the session record stayed on DB, and its expire_date value was not changed. At this time, if I open the page again with browser before the expiration time, the page would shown as logged on.
This indicates the “SESSION_EXPIRE_AT_BROWSER_CLOSE” setting didn’t work at all.

The other two configuration worked. But after a timeout, the page will stay without any change. If I do anything with the page, it will not function since the session was actually timed out. I expected the page will logout the user, or re-direct to login page on timeout.
Anything I missed?

2

Just closing one tab doesn’t do it - the browser must be completely closed.

The session times out on the server, not in the browser. The server can only react to requests made by the browser, the server can’t force a page-change on the browser.

3

Thanks Ken for the response.
Yes, if I close ALL browser windows, the SESSION_EXPIRE_AT_BROWSER_CLOSE worked. But as long as I have any other browser window open, even if it’s completely un-related to this app, this feature will not work. This is weird behavior since users usually have many different browser windows, closing this app’s browser window should be enough. I already feel that need users close all tabs already too much. Now need close all windows.

About time out, I saw other apps pop a window telling user the session will expire in a minute, and a count down clock. If user do nothing it will expire and re-direct to login. If other web app able to do this, why not Django?

Thanks!

4

That’s a limitation of the browser, not Django. Django has no control over that.

Those other apps are using JavaScript for that. Their server isn’t doing it, it’s code running in the browser providing that functionality. Again, that’s not something under Django’s control.