Document best practices for `SESSION_COOKIE_AGE` and `SESSION_SAVE_EVERY_REQUEST` for inactivity timeout

nautobot / nautobot

Network Source of Truth & Network Automation Platform

https://docs.nautobot.com

Apache License 2.0

1.04k stars 274 forks source link

Document best practices for `SESSION_COOKIE_AGE` and `SESSION_SAVE_EVERY_REQUEST` for inactivity timeout #4347

Open gsnider2195 opened 1 year ago

gsnider2195 commented 1 year ago

Proposed Changes

Some admins would like to have nautobot log users out after a period of inactivity. The proposed method is to set the SESSION_COOKIE_AGE to the desired timeout value and then use SESSION_SAVE_EVERY_REQUEST to have Django update the session on every request. However, nautobot uses the database session backend by default so making a database UPSERT on every request may impact performance. We should test the performance impact and document whether admins should also use the SESSION_ENGINE = "django.contrib.sessions.backends.cached_db" setting when setting SESSION_SAVE_EVERY_REQUEST = True.

Justification

Documentation

zackt25 commented 1 year ago

Tested this with a client.

They updated the nautobot_config.py with new parameters for only a SESSION_COOKIE_AGE = 30 sec timeout for testing and restarted all services.

Test # 1:

         1. Logged in 
         2. Did not interact with page for 30 seconds
         3. When anything was clicked on GUI was redirected to login page

Test # 2

        1. Logged in
        2. Interacted with GUI for 1 min (During this time was not redirected)
        3. Sat IDLE for 30 seconds
        4. When anything was clicked in GUI they were redirected to login screen.

gertzakis commented 7 months ago

Any update regarding the above? Is enabling SESSION_COOKIE_AGE & SESSION_SAVE_EVERY_REQUEST compromising performance? And if yes, what is the best way to implement it?