On Sunday 25 December 2016 18:42:16 Chaos Wong wrote: > Thanks for the advice. > It's indeed a rude way to force session to expire only depend on the > absolute time. User always encounters session-expired event when > posting something. > I will consider your way 3). But how the django know user has closed > the browser ?
It doesn't. The browser does. When a cookie does not have an expiration time set, the cookie is not stored on disk but only in memory. When the browser is closed, the cookie is gone. That means when the browser is opened again, it cannot send the session ID in the cookie anymore. This means a new session should be created (new login), and the old session should not be requested anymore and will eventually be evicted. This also means that there will be a time window where the server session is valid, while the browser doesn't know about it anymore. So the old session *could* be taken over by someone listening on the wire. This is why encryption is paramount and browser now support Strict Transport Security[1]. -- Melvyn Sopacua -------- [1] https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#46-deploy-http-strict-transport-security -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5843774.S3SBFu13hm%40devstation. For more options, visit https://groups.google.com/d/optout.