I was planning to submit a PR here today, but I've hit a roadblock. Setup:

We use django_cas_ng and our users auth against a CAS SSO system. When they click the Logout link on our site, they are logged out of the site AND redirected to our campus SSO system's logout page, which kills their ticket. This is important, especially for multi-user lab computers.

After installing django-session-security, clicking the Logout link manually still works normally. But if I let a user time out with DSS, they are logged out but they are NOT redirected to the SSO logout view. They stay on the site. In this state, the user can click the Login link again and be logged in automatically again without having to authenticate (because the CAS session ticket is still alive). That's bad.

So I started a PR that lets the dev set a custom logout URL. If present, the middleware.py adds a simple redirect after logout():

        if delta >= timedelta(seconds=expire_seconds):
            logout(request)
            return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)

(this is in process_request()). The problem is that the redirect never happens after timeout - the user is logged out but the page is not redirected to settings.LOGOUT_REDIRECT_URL. I don't understand why.

If I modify it to go to the CAS logout page without performing an internal logout first:

        if delta >= timedelta(seconds=expire_seconds):
            return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)

Then a timeout logout does redirect, but if the user then tries to go back to the site (e.g. to log in as someone else), they're stuck in a loop eternally handing off to settings.LOGOUT_REDIRECT_URL, so they can't access the site at all.

I can't seem to make this work either way. Any idea what I'm missing here? It seems clear that No. 1 is what I want, but I can't figure out why the redirect never fires.

n.b. I also have code to call django_cas_ng's logout() function rather than Django's, but that doesn't affect the problem - it's the same either way.

i am trying to use ajax pooling on my site (setTimeout) alongside django-session-security . In the documentation there is a mention of SESSION_SECURITY_PASSIVE_URL but i can't seem to get it to work.

My settings:

SESSION_SECURITY_WARN_AFTER = 15
SESSION_SECURITY_EXPIRE_AFTER = 21
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_SECURITY_PASSIVE_URL = ['http://localhost:8000/core/notice/check/', 'core/notice/check/', '/core/notice/check/']

My javascript:

  setTimeout(function(){
    get_notifications();
  }, 2000);

Any ideas what i am doing wrong?

Is there an easy way to disable session-security when DEBUG=True?
Would be great to have a SESSION_SECURITY_ENABLED setting.

Please let me know if you approve this, then I would implement it and make a PR.

When you upgrade from an older version that stored the time format differently in the session your app will crash when a previous user already has a session cookie.

For security reasons, we'd like admin users (anyone on one of the admin site pages or anyone with is_staff set) to be logged out after 15 minutes of inactivity. Regular, unprivileged users aren't security-sensitive, so they could stay logged in for the default SESSION_COOKIE_AGE.

Could this feature be added to django-session-security? What's the best approach for doing so?

One possible idea would be to move the expiration-checking logic from process_request to process_view, so that the middleware can check the request's namespaces against some sort of SESSION_SECURITY_SENSITIVE_NAMESPACES list. If the sensitive namespaces list is non-empty, and request.resolver_match.app_name and/or request.resolver_match.namespace is NOT in the list, then the middleware would never logout.

PR #20 would also have addressed this, I think, but I see that it was reverted.

Or maybe there's another, better design. I'm pretty new to Django. I'm happy to help with implementation, if you're open to the idea and can give some guidance on a good design.

When using django-session-security, it's really tempting to use short live sessions.
I mean, what is the point of having the default 2 weeks long session if you want the user logged out after 10 idle minutes?
It is very appealing to use short live sessions then, like 15 minutes. I'm pretty sure many people using this framework reduced the default value.
But then, we have a problem: User coming back from lunch or whatever encounter a CSRF protection error while login, because the login page has been shown for too long:

What SESSION_COOKIE_AGE value are you guys using out here?

Wouldn't it be nice to have the framework do exactly the opposite of what it's doing now, but for anonymous users: If the user is NOT loged in, then the ping could prolong the session life? There is no point in loggin out anonymous users anyways ...

Hi,

If I understand correctly, django-session-security is not compatible with Django 1.7? There's probably a (good) reason for that?

I would have liked to use it on a "big" project on Django 1.7...

Thanks for your reply.

I get the following error when switching to Django 1.9 with version 2.3.2:

NoReverseMatch: Reverse for 'session_security_ping' with arguments '()' and keyword arguments '{}' not found. 0 pattern(s) tried: []

I get this in my project when DEBUG is True, but suspect it could happen when False too.

The issue is that Django 1.9 now loads template tags early and while URL's are getting processed (also eary), django-session-security imports its settings, which in turn tries to resolve the session_security_ping url.

A simple fix would be to import the EXPIRE_AFTER and WARN_AFTER inside of the respective methods rather than at the module level.

Accessing something other than the ping view, I would expect that the middleware would not affect normal application requests and only silent updates the last activity time. However, visiting a url such as this:

http://localhost:8000/home/?idleFor=test

throws an error.

The fact that an error is thrown when idleFor is not an integer is another potential issue due to the int() cast being unchecked.

In template: "session_security/all.html", the check for the user authentication is:

{% if request.user.is_authenticated %}

... and that does not work. Instead, it should be:

{% if user.is_authenticated %}

One of the requirements for a project that I am working on is that the session would expire on tab close. I can imagine other may want a similar feature. I propose that this app implement an endpoint that the client can call .onbeforeunload() and the server will invalidate the session.

Here's a feature request :

I'm having a few minor issues with confirmFormDiscard : While this is a nice feature, I occasionally would like to ignore some fields.
In my case, this is a "quick search" widget in the header for example.
But people have been reporting similar wishes like in filters (see #86).

I guess it wouldn't be too difficult to add a class/attribute/whatever to a form/field that would make the check ignore some forms/fields.

The idea would be modify formChange function, and check that an ignore-dirty / ignore-change / whatever is not present before setting the data-dirty attribute. Preferably in the whole DOM tree above the input element.

Using:

Firefox 19.0.2 with Firebug
Django (1.5)
django-session-security (2.0.3)

Problem:

If there's a long running request, the last activity stored in request.session['_session_security'] is immediately set during the beginning of the request, but it is not returned to the client browser until the request is completed 45 seconds later. Since the session values are stored as cookies on the client side, all the ping requests during this 45 seconds which updated the last activity will be overwritten.
When the long running request is finally completed, the last activity stored in request.session['_session_security'] will be set to 45 seconds ago. If the next request is to the ping view, then all will be fine as the ping view updates the last activity. However, the the request request is another long running request, or something else which does NOT have the idleFor parameter (which means anything other than the ping request), then delta.seconds would be larger than EXPIRE_AFTER and logout(request) would be called. Any subsequent ping requests would return "logout" as a response, although the page the user is viewing would not immediately be logged out.

To reproduce:

1. Use these settings:

Settings for session_security

SESSION_SECURITY_WARN_AFTER = 10 # Default 540
SESSION_SECURITY_EXPIRE_AFTER = 30 # Default 600
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

1. Open Firebug and enable Net to see the AJAX connections
2. Create a page which requests something via AJAX that takes about 45 seconds for the request to complete, which upon completion would create another identical request.
3. Log in and move the mouse when the warning comes on, then wait until the next warning comes on and move the mouse again.

Here's an example of the requests to the ping view found from Firebug

First Request

GET /session_security/ping/?csrfmiddlewaretoken=ZJgthGOkE5JTR1sS5uxYsc5fn9wd2vgG&idleFor=0&_=1364238435092 HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8000/home/
Cookie: csrftoken=ZJgthGOkE5JTR1sS5uxYsc5fn9wd2vgG; sessionid=py3o4zs90uiojw3ylyb7hxo287n40om4
Connection: keep-alive

HTTP/1.0 200 OK
Date: Mon, 25 Mar 2013 19:07:15 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: sessionid=py3o4zs90uiojw3ylyb7hxo287n40om4; httponly; Path=/

0

Second Request, after long running request finished and started again

GET /session_security/ping/?csrfmiddlewaretoken=ZJgthGOkE5JTR1sS5uxYsc5fn9wd2vgG&idleFor=1&_=1364238445135 HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8000/home/
Cookie: csrftoken=ZJgthGOkE5JTR1sS5uxYsc5fn9wd2vgG; sessionid=py3o4zs90uiojw3ylyb7hxo287n40om4
Connection: keep-alive

HTTP/1.0 200 OK
Date: Mon, 25 Mar 2013 19:07:25 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: sessionid=ipub9bxy50x3kleq5w2ekzbrxz0gdfa1; httponly; Path=/

logout

Two things are wrong here:

1. After receiving the logout response, the page is not immediately logged out. As long as I continue to move my mouse in the page when the warning comes up, I can stay on the page indefinitely, even though all the subsequent AJAX responses say logout. However, refreshing the page redirects me to the login screen, which means I was logged out.
2. The logout response is incorrect since the "idleFor" is only 1 and it's been only 10 seconds since the last request. The logout really should not be triggered for another 29 seconds.

Is it possible to include a countdown timer, based on the User activity, and restarted whenever the user performs some action?

Something like the counter from my bank.

a template tag + template would be great

something like:

{% load session_security_tags %}

{% render_countdown %}

I've been using this package with success. It was very easy to install and use.

I'd like to set longer warning and expiration timeouts if the logged in user is staff (request.user.is_staff) or a superuser (request.user.is_superuser).

Is there any way to do this with the current version? If not, I would appreciate this enhancement.

Removing the events from "this.events" still has the application recognise the mouse events as activity. Is there a way to disable this activity?

Hi,

Is it possible to define duration for each url or user?

after updating to Django 2.03 I get the following error:

File "C:\ProgramData\Anaconda3\lib\site-packages\session_security\middleware.py", line 15, in
from django.core.urlresolvers import reverse, resolve, Resolver404
ModuleNotFoundError: No module named 'django.core.urlresolvers'

It seems this is an incompatibility, as urlresolvers was dropped.

Hello

You project distribute with binary file test_project/db.sqlite, which makes it difficult to distribute.
That file should be removed from your project.
I believe it can be generated using ./manage.py syncdb --noinput.
So unit tests needs to be changed to do that first.

https://github.com/yourlabs/django-session-security/blob/master/session_security/static/session_security/script.js uses the code

if (window.yourlabs == undefined) window.yourlabs = {};

which could be rewritten

if (typeof window.yourlabs === "undefined") window.yourlabs = {};

or

window.yourlabs = window.yourlabs || {};

see issues with current approach here:
http://stackoverflow.com/questions/4725603/variable-undefined-vs-typeof-variable-undefined

-Aleck

My team has successfully implemented session-security in our app. Users are alerted after a period of inactivity and then automatically logged out and redirected. However, session-security is causing our Admin site to be logged out of Django admin - even if there is activity - and no warning is given.

I use requirejs for javascript modularity but django-session-security doesn't work well with requirejs. Even going outside the normal recommended use of requirejs and I can't get it to work. I'm no longer getting javascript errors, but still seems like things are not functioning.

The middleware

user_sessions.middleware.SessionMiddleware

Provides a listing of a user's sessions across various clients. The user can then choose to "End Session" on any of their existing sessions, including their current session they are logged in as.

When using the user_sessions middleware alone, clicking "End Session" will behave the same way as "Logout". Unfortunately, when combined with the session_security middleware, clicking "End Session" on the current session has no effect.

With some pdb tracing, I've figured out the following rough series of events:

1. request:session_security updates the last_activity in the session
2. request:user_sessions deletes the session object
3. response:user_sessions detects the session was modified in step 1) and re-saves the session to the backing DB

The user is redirected to the same Session List page, with their current session still active.

Could you please add touch events (touchstart, touchmove, touchend) to the list of caught events to track activity?

Please can you add support for URL namespaces?

Please can you also expand the documentation and provide some examples of how to use settings.SESSION_SECURITY_PASSIVE_URLS and settings.SESSION_SECURITY_PASSIVE_URL_NAMES?

Reproduce:

1. Set SESSION_SECURITY_EXPIRE_AFTER = 10
2. Login to the site to get a last_activity..
3. Close tab and wait 20s.. reopen tab and still be logged in with session still valid...

session_security/middleware:38 might be the culprit as it updates the last_activity before the Session expiry check is done at session_security/middleware:41

Just wondering what you are licensing this library under. Thanks

After a session is closed due to inactivity for "user-A" and if "user-B" logs in from the same navigator, the middleware redirects the new session for "user-B" to the last page that "user-A" was using. In my opinion, settings.REDIRECT_URL must be used for redirecting in this case.

Hey cool author,

I just wanted to open a question related to your implicit declaration of nextPing variable in apply function of sessionSecurity.prototype within the script.js file.

I was just curious, what was your reason for choosing to implicitly define nextPing? I am looking at the code, and now obviously the "best practice" would suggest not doing this, however it raised the question of, "When exactly is it okay to use the implicit declaration versus explicitly creating the variable within scope?" This to me is interesting, since I enjoy being a rule breaker myself.

Since it's a "best practice", and one that makes sense in most cases, I was wondering if you could walk me through this decision, since maybe this is the exception to the rule.

The app work's great but I need to exclude some urls from closing.

The project is a e-learning platform so it has perfect sence to close if the user is iddle for 5 minutes in the most of cases. But we have urls that display an audio, so the stundent can be listening the audio for more than 5 minutes. Is there any posivility to exclude them ?

Thanks 4 the app

Hi,

I have some pages with a reload page upon ajax success.

{% include 'session_security/all.html' %}
Adding in the include into the page throws up the alert.

You have unsaved changes in a form of this page.
Are you sure you want to reload this page?

Would you know how to fix this?

The user.is_authenticated() function is being moved over to a property as of Django 2.0. This currently throws a warnings on newer versions of Django.

In locale/fr/LC_MESSAGES/django.po on line 20, we miss a 's'
It's reading
msgstr "Vous avez des changements non sauvegardé dans un formulaire de cette page."
It should read:
msgstr "Vous avez des changements non sauvegardés dans un formulaire de cette page."

I'm starting to test our project that uses django-session-security with Django 1.9a1, and I run into a fatal error:

django.template.exceptions.TemplateSyntaxError: 'url' is not a valid tag or filter in tag library 'future'

from session_security/templates/session_security/all.html

Changing this would not be compatible with Django 1.4, but anyone still stuck on 1.4 could override the template.

I'd like to report what I view as a vulnerability, but don't see a dedicated email for this sort of correspondence. Please let me know how you'd like me to report it.

Hi. At first, thnx for useful app. I would like to ask how can I disable activity triggering by mousemove event? I want to keep just scroll, keyup and click events. Thanks.

We have been using django-session-security for about 2 years in our application, but its effectiveness has been spotty.
Sometimes the culprit is a clear interference from another piece of middleware or another change in our application - but currently our experience is that it works "some times". It will work for one user one time, then fail the next.

If i remove the warn/expire settings our application consistently expires the session cookie per the session cookie timeout setting.

Are there any common interfering factors that you can recommend looking into?

There's a console.log in script.js that causes an error in IE8.
console.log($(e.target))

I suppose this is only used for debugging?

Hi there!
I love this app for my Django projects, but I have recently updated from Django 2.0 to Django 2.1 and now I'm getting this error:

Internal Server Error: /session_security/ping/
Traceback (most recent call last):
  File "/home/ellen/ownCloud/virtualenvs/purple_box/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/home/ellen/ownCloud/virtualenvs/purple_box/lib/python3.6/site-packages/django/utils/deprecation.py", line 90, in __call__
    response = self.process_request(request)
  File "/home/ellen/ownCloud/virtualenvs/purple_box/lib/python3.6/site-packages/session_security/middleware.py", line 76, in process_request
    elif (request.path == reverse('session_security_ping') and
  File "/home/ellen/ownCloud/virtualenvs/purple_box/lib/python3.6/site-packages/django/urls/base.py", line 90, in reverse
    return iri_to_uri(resolver._reverse_with_prefix(view, prefix, *args, **kwargs))
  File "/home/ellen/ownCloud/virtualenvs/purple_box/lib/python3.6/site-packages/django/urls/resolvers.py", line 622, in _reverse_with_prefix
    raise NoReverseMatch(msg)
django.urls.exceptions.NoReverseMatch: Reverse for 'session_security_ping' not found. 'session_security_ping' is not a valid view function or pattern name.

Session security still seems to work, but getting this traceback in my logs is not ideal. I hope you can upgrade the compatibility to Django 2.1.
Thanks!

I didn't figure out when it happens, but it happens sometimes:

Traceback (most recent call last):
  File "/srv/www/someproj/env/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 90, in get_response
    response = middleware_method(request)
  File "/srv/www/someproj/env/local/lib/python2.7/site-packages/session_security/middleware.py", line 35, in process_request
    self.update_last_activity(request, now)
  File "/srv/www/someproj/env/local/lib/python2.7/site-packages/session_security/middleware.py", line 52, in update_last_activity
    last_activity = get_last_activity(request.session)
  File "/srv/www/someproj/env/local/lib/python2.7/site-packages/session_security/utils.py", line 17, in get_last_activity
    '%Y-%m-%dT%H:%M:%S.%f')
  File "/usr/lib/python2.7/_strptime.py", line 325, in _strptime
    (data_string, format))

ValueError: time data '2015-07-13T23:37:26' does not match format '%Y-%m-%dT%H:%M:%S.%f'

When it happens, I get multiple exceptions for subsequent pages. For some reason, value in session['_session_security'] appears without microseconds.

I found that the templates are located in /usr/local/lib/python3.7/site-packages. Can I override them with my custom templates instead of directly changing the templates under the folder?

SESSION_COOKIE_AGE = 60
SESSION_SECURITY_WARN_AFTER = 10
SESSION_SECURITY_EXPIRE_AFTER = SESSION_COOKIE_AGE

Here are my settings, based on http://django-session-security.readthedocs.org/en/latest/full.html

On my frontend, when I ping the server, I am correctly getting the number of seconds since session refresh, and I'm also receiving the logout message. However, I'm not receiving any sort of "warning" message. Why isn't this working?

README.rst says python2.7 is required.
Tests are runing fine with python 3.. It would be nice to update README.rst.

Is this package compatible with Django 2.1 & 2.2? Anyone using it in production? If so, we should add it to tox.ini and travis.yml

My project uses your package and it would be great to have a release with this PR! #81

(Just wanted to makes this as a tracking issue, or ping yall in case it slipped someone's mind!)

Good morning,

I just wanted to get some clarification on the SESSION_SECURITY_INSECURE setting. Based on documentation it seems like if you set SESSION_EXPIRE_AT_BROWSE_CLOSE to True then you wouldn't need to set the SESSION_SECURITY_INSECURE setting? Also the documentation seems to suggest you wouldn't want to use this app without setting SESSION_EXPIRE_AT_BROWSER_CLOSE being set to True. Overall I was just a little confused on how this setting is used. Can you describe a scenario of how you would use this setting?

Thank you!

Django administrators should have the possibility to be logged out after a different (usually longer) timeout than regular users.

#94 allows to have dss to not reload the page when the session expires.

This can leave sensible data on the screen for a hacker to right click -> inspect -> delete whatever blocks the view or leave sensible data in memory that a hacker could obtain remotely.

However, it delivers a lot better user experience, particularly when the page has taken steps to setup.

I wonder how many of you are running a fork of the script that doesn't reload the page ?

I would really like this to become the default, in this case, would it be necessary for you that sensible data be encrypted during the time the session is locked if the page isn't reloaded to a blank login script as it is today ?

I'm asking "you" for everybody reading this, I haven't had this script in production for ages, if anybody wants to step up as a maintainer it's a golden opportunity that will make you learn things in life that you could not learn in any other way !

bug explained here: http://code-trick.com/python-bug-attribute-error-_strptime/
bug report: http://bugs.python.org/issue7980

File "/Users/user/src/myapp/venv/lib/python2.7/site-packages/django/core/handlers/base.py", line 88, in get_response
response = middleware_method(request)
File "/Users/user/src/myapp/venv/lib/python2.7/site-packages/session_security/middleware.py", line 34, in process_request
self.update_last_activity(request, now)
File "/Users/user/src/myapp/venv/lib/python2.7/site-packages/session_security/middleware.py", line 52, in update_last_activity
last_activity = get_last_activity(request.session)
File "/Users/user/src/myapp/venv/lib/python2.7/site-packages/session_security/utils.py", line 17, in get_last_activity
'%Y-%m-%dT%H:%M:%S.%f')
AttributeError: _strptime

Have installed session security as per instructions with default values. In my system many of may page changes are via javascript with document.location.href = next;

Have tried both "http://domain/etc/123" and "/etc/123" and both trigger the "Do you want to leave this site" dialog.

The pages have little forms, like a search box and I tried removing them but this had no effect.

Reverted to version before adding session security and dialog stopped coming up.

Do you have any suggestions off what is triggering the dialog?