From f193886d15309626134bc091ce5bd137976849fa Mon Sep 17 00:00:00 2001 From: Manuel Kaufmann Date: Wed, 6 Jul 2022 10:45:00 +0200 Subject: [PATCH] Sessions: do not save on each request Currently, we have a 30 days expiry time for cookies with "save on every request" enabled. That means users won't need to re-login if they hit at least one Read the Docs page every 30 days. In an attempt to reduce this "infinit session time", I'm disabling the "save on every request". This way we are forcing the users to re-login every 30 days --no matter if they hit a Read the Docs page during that time or not. This will help us to know what are the active users because we will be able to check `User.last_login` and get reasonable numbers. With the current configuration, a user that used the platform _today_ could have a pretty old `last_login` since we are not forcing re-login at all. --- readthedocs/settings/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py index 4d4f3161c7e..7957816a1b0 100644 --- a/readthedocs/settings/base.py +++ b/readthedocs/settings/base.py @@ -75,7 +75,7 @@ class CommunityBaseSettings(Settings): SESSION_COOKIE_DOMAIN = 'readthedocs.org' SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_AGE = 30 * 24 * 60 * 60 # 30 days - SESSION_SAVE_EVERY_REQUEST = True + SESSION_SAVE_EVERY_REQUEST = False @property def SESSION_COOKIE_SAMESITE(self): @@ -89,7 +89,7 @@ def SESSION_COOKIE_SAMESITE(self): # CSRF CSRF_COOKIE_HTTPONLY = True - CSRF_COOKIE_AGE = 30 * 24 * 60 * 60 + CSRF_COOKIE_AGE = 30 * 24 * 60 * 60 # 30 days # Security & X-Frame-Options Middleware # https://docs.djangoproject.com/en/1.11/ref/middleware/#django.middleware.security.SecurityMiddleware