Question about SESSION_SECURITY_INSECURE setting

yourlabs / django-session-security

A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show any kind of activity like moving the mouse. Otherwise, logout the user.

http://django-session-security.rtfd.org

MIT License

309 stars 142 forks source link

Question about SESSION_SECURITY_INSECURE setting #126

Closed marsvolta80 closed 5 months ago

marsvolta80 commented 5 years ago

Good morning,

I just wanted to get some clarification on the SESSION_SECURITY_INSECURE setting. Based on documentation it seems like if you set SESSION_EXPIRE_AT_BROWSE_CLOSE to True then you wouldn't need to set the SESSION_SECURITY_INSECURE setting? Also the documentation seems to suggest you wouldn't want to use this app without setting SESSION_EXPIRE_AT_BROWSER_CLOSE being set to True. Overall I was just a little confused on how this setting is used. Can you describe a scenario of how you would use this setting?

Thank you!

claytondaley commented 5 years ago

The package will throw an exception if you don't do one of two things:

set SESSION_EXPIRE_AT_BROWSER_CLOSE=True
set SESSION_SECURITY_INSECURE=True

You absolutely should do the first, but a bypass exists if (for some reason?!?!) you needed to prevent this from happening (e.g. for testing or for a specific type of user).

claytondaley commented 5 years ago

If you have a suggestion on how to phrase it more clearly, you're welcome to submit a PR!