Session Age Too Long
Opened this issue · 0 comments
deeppunster commented
Describe the bug
The session cookie default age for Django is two weeks. This is much too long for this application.
To Reproduce
Steps to reproduce the behavior:
- Login to the application.
- Close the tab or window without logging out.
- Wait up to a little less than two weeks and go to the application URL.
- It will return to whatever screen you were on before closing in step 2 without asking you to login again.
Expected behavior
The application should require you to login again after two hours of inactivity.
Additional context
Django has a parameter called SESSION_COOKIE_AGE. Its default is two weeks in seconds. It should be set to 13,200 (two hours in seconds).