Managing Session Expiry & Cookies
The default Django sessions expire after two weeks. To tighten up session management, administrators have control over three essential values:-
DJANGO_SESSION_COOKIE_AGE- Sets the number of seconds a session cookie will last before expiring (default: 32400 seconds or nine hours)
-
DJANGO_SESSION_SAVE_EVERY_REQUEST- Sets whether the session cookie will refresh on every request (default: true)
-
DJANGO_SESSION_EXPIRE_AT_BROWSER_CLOSE- Sets whether the session cookie will expire when the browser is closed (default: true)
DJANGO_SESSION_SAVE_EVERY_REQUEST set to true, the server will update the session with each request. Updates reset the expiration, so a short expiry period won’t log out anyone actively using Ghostwriter but will allow inactive sessions to expire.
If set to true, the last option will expire sessions after the browser quits. However, whether the session ends when you close the browser window depends on the browser. Some browsers, like Chrome, will keep sessions active, so you may need to quit or exit the browser to end the session versus just closing the browser window.
You can manage these values via the Ghostwriter command-line interface (CLI) tool.
Cleaning Up Expired Sessions
Finally, administrators can view sessions in the admin panel under the Sessions section. This section records every session currently known to Ghostwriter, including expired sessions. If a user does not log out (e.g., lets their session expire) their session will remain logged in the database. It is recommended you clear these expired sessions on a regular basis to keep the sessions table tidy. You can do this with a scheduled task. The task should calldjango.core.management.call_command and pass "clearsessions" as its only argument. Set up a task like this one that runs daily with the cron scheduler. For example, 0 5 * * * will run it every day at 5:00 AM.
