Hi,
On Monday, August 20, 2018 at 2:08:30 PM UTC+5:30, Michal Petrucha wrote:
-- Thanks for the approach. On our site, customers have option to do guest checkout wherein users can make a purchase without getting registered/signing up. We are still using session information for such users. Hence, the session is kind of combined for logged in and not logged in users. The challenge is to figured out the sessions for logged in users (atleast I am not aware of how to do that in Django).
Typically in businesses, users (specifically the masses and who aren't that tech savvy) prefer a flow that's smooth and hassle free though security definitely becomes an important aspect. Hence, the challenge is to combine the both.
I would certainly look into the approach you have suggested.
Thanks.
On Monday, August 20, 2018 at 2:08:30 PM UTC+5:30, Michal Petrucha wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, Aug 17, 2018 at 05:44:22AM -0700, Web Architect wrote:
> Hi,
>
> We are using persistent django sessions for our website where in the
> session information is stored in MySQL. Over last couple of years, the
> session data has grown to a huge number and we were planning to clean it up.
> I know that there is a django management command 'clearsessions' and we are
> using the same as a daily cronjob.
> But our challenge is we have long expiry timelines of like 100 years so
> that our users are never logged out (unless they clear their cookies etc).
> Hence, the clearsessions won't help.
>
> The solution we are looking for are removing the sessions which are never
> used for a long period. Let's say a user never came to our site for 3
> months after last logging in. We would like to purge those sessions. Would
> really appreciate if anyone could suggest any such solution - be it in
> Django or if we need to custom build it.
>
> Thanks.
There is another de-facto standard solution to this problem, which
does not involve setting the session expiry to years – it's usually
referred to as "persistent authentication cookie". That way, sessions
would expire after the usual short period of time, and it also makes
the persistent login feature optional for your users.
I haven't found a maintained package that would implement this for
Django applications, but you can find a bunch of material on this
topic. For example, this article seems to consider a lot of potential
attack vectors:
https://paragonie.com/blog/2015/04/secure-authentication- php-with-long-term- persistence#title.2
Michal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJben3lAAoJEHA7T/IPM/ klRiMQAKnoqOWIrbQDiDcaARde9jl+
SuPfHZP/H44t7z610+CC2D03C4hps+7acQWslH2S+WFL/+ VUJPqytGTWsAJbs12A
/R+UaIlwDGFMeRBw2xdDusZtbE4t+atGS5PPgr8hEW89/op9/ DruSed1cVxoUiBp
pwNwBst+cieNhtBYpXBUCe8mRxRegc8xCz/ pKRw9ZycszYgB4rTpDVwOFMmxPWuS
rKDRgMsXhYQskiGWi5oSHQ8xEgxBeGXdv3HnlwCm9TenXs1gfVQwbRhG4bti vCUD
nzhpUTtHx3PP5/uDK0GM87MqB6ufuf7H/ 7QXgFKTWBZxSeOXwaxICsxYaG54DMl d
hYxFk36RtjufWgcffQooBfw3eavtzAnPdjlZzEI3ZYj5fPx9agGJf177JAVS CovS
bppF1QbipuIfQlLyv7gee8bR6a6uLEQZ4vp9NHrfqWjXYqmIDxubnVB5B1/ d6yvG
S9liRlkoGAWC9tTS5ig03QV1b4nBlJIonKIRBecrfJXHw3G2WojY8HAiSyyz 9A4P
S/XcvOzK7dWsw/NUmx84GkR3SGfFeQor3bVWUeBhG6BB OjZq6cj+MHa2gZswIIYa
d6dHRCa4hyDwBLZDaEbI4EDbIkrY82L87PD9KW+0xbBYojwysQz8pL/ 3WHc8F1NL
0VXYCCnD/4/LdzywjR21
=njLP
-----END PGP SIGNATURE-----
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fbcb5b75-de8b-43fb-a47e-5232b1c95212%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment