I recently ran into what I thought was counter-intuitive session expiration behavior. See ticket http://code.djangoproject.com/ticket/8452 for the details.
I don't mean to dig up topics that have been long debated, but I also wonder if these semantics make sense? If I log into a site and only happen to read from my session, my session will log out in SESSION_COOKIE_AGE seconds (or whatever set_expiry says). However, if I happen to do actions that cause writes to my session then my session will expire in some hard-to-determine point in the future. How to explain to a user when they will be logged out -- X seconds after their last session write? I wrote the app and I'm not even sure when the session is written to due to third party libraries etc. Further, for security reasons it seems like it's a good policy for Django to ship with the default behavior for every session to automatically expire SESSION_COOKIE_AGE seconds after the session was created no matter what. If the app wants to push out the expiration time every time the user is active, they can call set_expiry explicitly. But I guess that's just one person's opinion. Alternatively, for consistency, Django could update the expiry age whenever the session is _read_ or written. Then the docs could simply say the expiry age is updated whenever the session is used which is very simple to understand: anytime someone comes back to the site their session expiration time will renew. If they don't come back within the expiration time, their session expires. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
