On Oct 13, 4:22 am, Andy <selforgani...@gmail.com> wrote: > A few questions about Django's authentication system: > > - Once a user is logged in, how long does he remain logged in? Is > there any way to configure this - e.g. "users will remain logged in > for 24 hours"?
It's determined by the value of SESSION_COOKIE_AGE. See the docs: http://docs.djangoproject.com/en/1.2/topics/http/sessions/#browser-length-sessions-vs-persistent-sessions > - Once a user provided a matching username & password and is > authenticated, then what? In subsequent page views how does Django > know that this user is logged in? I'm guessing Django creates a cookie > and stores the cookie in SESSION_ENGINE, every time a user request a > page, Django gets that user's cookie from browser and uses it to query > SESSION_ENGINE. Is that correct? Well, not quite. The middleware stores an instance of LazyUser, which is a proxy for contrib.auth.get_user which is only called when request.user is actually accessed. If you don't access the user at all in the view, template or middleware, the session engine and the auth backend won't get hit. > - Does it mean that Django must hit SESSION_ENGINE for every single > page view? Well, yes, as long as the auth and session middleware are enabled, bearing in mind the above. But that's surely a small hit in the scheme of things. Generally, I would suggest you read the code in django.contrib.auth - it's very clear and well commented. -- DR. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
