45

How can I reuse the original admin login() and AuthenticationForm to set longer cookie length for users with "remember me" option checked at login page? I am currently using the built-in login through urls.py

url(r'^login/$','django.contrib.auth.views.login', {'template_name': 'authentication/login.html'}, name='login'),

The checkbox is implemented in my login.html as:

<label><input name="remember_me" type="checkbox">Keep me logged in</label>

but I am not sure how to pass that information through the AuthenticationForm to the django.contrib.auth.views.login

Currently, if the user logs "remember me" box unchecked, the cookie age is defined in settings.py

SESSION_COOKIE_AGE = 360

I found couple of similar questions but I don't think this should require a separate app to be installed. The below snippet (http://djangosnippets.org/snippets/1881/) seemed promising but I have coded python and Django only for couple of months and I wasn't able to get it working:

def login(request, *args, **kwargs):
    if request.method == 'POST':
        if not request.POST.get('remember_me', None):
            request.session.set_expiry(0)
    return auth_views.login(request, *args, **kwargs)
okm
  • 23,575
  • 5
  • 83
  • 90
Sawwy
  • 569
  • 2
  • 7
  • 15
  • The snippet is actually working another way around but the main idea is still to set the cookie expiry based on the checkbox selection. – Sawwy Feb 26 '13 at 22:26
  • The snippet is correct, just set `SESSION_COOKIE_AGE` to the expiry of remembered login, and `0` inside `request.session.set_expiry(0)` to the expiry of one-off login. – okm Feb 26 '13 at 22:57
  • Ok, I got it working now in a way that default session length is 5 seconds and remember me session is 30s (just for test purposes). However, when I use set_expiry(0), the session is not deleted on closing the browser (closing the whole browser not a tab). The issue persists after: 1) delete FROM django_session (to delete all session information from database) 2) clear all browser history (Chrome 25.0.1364.97). I start from scratch but once this is user is logged in, it will stay logged in. Is there something else I need to do? – Sawwy Feb 27 '13 at 09:49
  • Have you solved it? `set_expiry(0)` works for me. You could check the response to see whether the session cookie is updated. – okm Mar 12 '13 at 15:47
  • Yes, I found out that the issue was only with chrome browser (when I reopened the browser, it loaded my old tabs prior closing). Chrome also works when the above setting turned off. – Sawwy Apr 01 '13 at 20:50
  • 2
    @Sawwy Do you want to post that as an answer then? – AncientSwordRage Feb 10 '15 at 10:36

2 Answers2

25

The django session cookie age is defined in seconds.

SESSION_COOKIE_AGE = 360

means that the session will expire after 6 minutes. I've recently implemented the 'Remember Me' feature and I set the following:

SESSION_COOKIE_AGE = 60 * 60 * 24 * 30 # One month

The login view needs override as you've shown in the snippet.

But sounds like you're having an odd issue where closing the browser (when remember me is unchecked) is not requiring the user to re-login which should not happen if you use set_expiry(0). When you use set_expiry(0), the django sets a 'session' length cookie as opposed to a fixed length cookie and by design it would expire after browser close.

There's another settings that affects clearing cookie on browser close. Maybe you can try altering the SESSION_EXPIRE_AT_BROWSER_CLOSE setting's value or check it's existing value in your configuration. https://docs.djangoproject.com/en/2.2/topics/http/sessions/#browser-length-sessions-vs-persistent-sessions

user8193706
  • 2,387
  • 2
  • 8
  • 12
tarequeh
  • 1,799
  • 18
  • 18
0

So the request.set_expiry(O) only log in an anonymous but authedicated user.. if i were you,i would do this

if request.user.is_authenticated() and request.user.id is not None: return redirect('home')

DimitrisBovasianos
  • 66
  • 3