The django-session-security session does not expire

advertisements

i am trying to use ajax pooling on my site (setTimeout) alongside django-session-security . In the documentation there is a mention of SESSION_SECURITY_PASSIVE_URL but i can't seem to get it to work.

My settings:

SESSION_SECURITY_WARN_AFTER = 15
SESSION_SECURITY_EXPIRE_AFTER = 21
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_SECURITY_PASSIVE_URL = ['http://localhost:8000/core/notice/check/', 'core/notice/check/', '/core/notice/check/']

My javascript:

  setTimeout(function(){
    get_notifications();
  }, 2000);

Any ideas what i am doing wrong?


It seems that it's just because your settings parameter name is missing the ending 's'. It should be 'SESSION_SECURITY_PASSIVE_URLS' instead of 'SESSION_SECURITY_PASSIVE_URL' in your case. Consider the source code here.

Other than that I believe you can safely remove redundant elements from the SESSION_SECURITY_PASSIVE_URLS list and leave just the '/core/notice/check/' entry there. Again, as we can see from the source code the decision of whether request 'is passive' is made by checking the request.path against the list of values from the settings.