Users are getting forcibly logged off after upgrade to Django 3.1

Hello,

I have upgraded my server from Django 2.1.7 to 3.1.0 today, and since then, many of my users are getting forcibly logged off after some time.

They log back in and get logged out again after a maximum of a few minutes (most almost immediately).

I didn’t change any code that is remotely related to logging in/out after the update. It also seems to happen under random conditions.

Any idea what could cause this?

Are you using any third-party applications – django-session-security, for example?

The third party applications I use are:

'rest_framework',
'rest_framework.authtoken',
'django_mysql',
'silk'

What version of the Django Rest Framework are you on? Have you upgraded that as well to ensure you’re current?

That was about to be my next question :slight_smile: Also, is the version of rest_framework.authtoken compatible with Django 3.1?

Edit:

Never mind, authtoken is included in rest_framework.

From the django-rest-framework.org home page, notice the versions of Django identified as being supported:

Requirements

REST framework requires the following:

  • Python (3.5, 3.6, 3.7, 3.8)
  • Django (2.2, 3.0)

We highly recommend and only officially support the latest patch release of each Python and Django series.

If you can, create a snapshot of your current server instance and then downgrade Django to 3.0. Let us know if that makes a difference :slight_smile:

After downgrading to Django 3.0, I am now getting disconnected myself immediately after logging in.
I suppose that is some progress, as before I couldn’t repro the bug myself :sweat_smile:

I have the latest version of django-rest-framework: 3.11.1

Downgrading is not compatible, new versions of Django often include migrations in contrib apps that aren’t backwards compatible. It’s probably not worth the risk to try downgrading unless your site is simple or low traffic.

It’s a shame you didn’t upgrade 2.1 -> 2.2, 2.2 -> 3.0, then 3.0 -> 3.1 as per the upgrade documentation. Jumping versions is not supported, and we now can’t narrow the issue down so well to which version caused the change.

From memory there was a discussion about a session change in 3.1: https://groups.google.com/d/msgid/django-developers/2a3d706d-6f78-406e-b7a9-3bba3ea9b7e6n%40googlegroups.com?utm_medium=email&utm_source=footer . I think this has been resolved though and would only affect you if you were running different versions in parallel.

Since 3.1 is still quite fresh, it’s worth checking recently opened tickets to see if any other reports match what you’re seeing.

What version of python are you running?

Good to know! Thanks for the information :slight_smile:

I am on Python 3.6.

I didn’t realize there was no way to upgrade directly to Django 3.1 :frowning:

I upgraded back to 3.1 and I can log in again - but many of my users are still running into the issue.

I am not running multiple versions of Django.

From reading the conversation, it looks like some sort of incompatibility between sessions data? Is there maybe a way to make sure everyone is using sessions from 3.1?

Maybe python manage.py clearsessions is your solution?

Tried clearsessions, but after a few hours I am still receiving reports of users getting disconnected. :frowning:

@divonelnc how’s your logout page look like? Is it just a link or a form with a “logout” button? If the former, a JavaScript script or just Chrome page prefetching mechanism might have logged your users out by simply accessing the /logout link.

Is it possible that some users are running the old Django code instead of the latest?

I discovered that some pieces of the server code that I changed a few days ago are still being run by some users.

Is there some sort of server-code-cache in Django?

The logout is a button that calls a method when clicked, which sends a query to the backend to logout. I don’t think that’s it…

Also, some people reported that after logging in dozens of time, it eventually let them stayed logged in.

Many of my users are still running into the issue, so any help would be appreciated :frowning:

This is what I would try.

Go back to your old Django Project, when it was still 2.1.7. Take that project, update it in the right update order. Delete all the caches (pycache folders). Duplicate the database. Delete all sessions in the database. Connect your newly updated project to the duplicate database. See if that helps.

Additionally, you could try to export all your users. Delete all the users. Recreate the users in the Django 3.1 project. During user creation you have to make sure that the newly created profiles get the same Primary/ForeignKey as the old ones. You might have to manually change that in the database.