How to expire session due to inactivity in Django?

Here's an idea... Expire the session on browser close with the SESSION_EXPIRE_AT_BROWSER_CLOSE setting. Then set a timestamp in the session on every request like so.

request.session['last_activity'] = datetime.now()

and add a middleware to detect if the session is expired. something like this should handle the whole process...

from datetime import datetimefrom django.http import HttpResponseRedirectclass SessionExpiredMiddleware:    def process_request(request):        last_activity = request.session['last_activity']        now = datetime.now()        if (now - last_activity).minutes > 10:            # Do logout / expire session            # and then...            return HttpResponseRedirect("LOGIN_PAGE_URL")        if not request.is_ajax():            # don't set this for ajax requests or else your            # expired session checks will keep the session from            # expiring :)            request.session['last_activity'] = now

Then you just have to make some urls and views to return relevant data to the ajax calls regarding the session expiry.

when the user opts to "renew" the session, so to speak, all you have to do is set requeset.session['last_activity'] to the current time again

Obviously this code is only a start... but it should get you on the right path

I am just pretty new to use Django.

I wanted to make session expire if logged user close browser or are in idle(inactivity timeout) for some amount of time. When I googled it to figure out, this SOF question came up first. Thanks to nice answer, I looked up resources to understand how middlewares works during request/response cycle in Django. It was very helpful.

I was about to apply custom middleware into my code following top answer in here. But I was still little bit suspicious because best answer in here was edited in 2011. I took more time to search little bit from recent search result and came up with simple way.

SESSION_EXPIRE_AT_BROWSER_CLOSE = TrueSESSION_COOKIE_AGE = 10 # set just 10 seconds to testSESSION_SAVE_EVERY_REQUEST = True

I didn't check other browsers but chrome.1. A session expired when I closed a browser even if SESSION_COOKIE_AGE set.2. Only when I was idle for more than 10 seconds, A session expired. Thanks to SESSION_SAVE_EVERY_REQUEST, whenever you occur new request, It saves the session and updates timeout to expire

To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. When set to True, Django will save the session to the database on every single request.

Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.

Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

django manual 1.10

I just leave answer so that some people who is a kind of new in Django like me don't spend much time to find out solution as a way I did.

django-session-security does just that...

... with an additional requirement: if the server doesn't respond or an attacker disconnected the internet connection: it should expire anyway.

Disclamer: I maintain this app. But I've been watching this thread for a very, very long time :)