Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/yourlabs/django-session-security
A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show any kind of activity like moving the mouse. Otherwise, logout the user.
https://github.com/yourlabs/django-session-security
Last synced: about 1 month ago
JSON representation
A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show any kind of activity like moving the mouse. Otherwise, logout the user.
- Host: GitHub
- URL: https://github.com/yourlabs/django-session-security
- Owner: yourlabs
- License: mit
- Created: 2012-05-17T10:40:37.000Z (about 12 years ago)
- Default Branch: master
- Last Pushed: 2024-04-17T00:05:10.000Z (2 months ago)
- Last Synced: 2024-05-17T11:02:45.873Z (about 1 month ago)
- Language: Python
- Homepage: http://django-session-security.rtfd.org
- Size: 404 KB
- Stars: 307
- Watchers: 27
- Forks: 142
- Open Issues: 28
-
Metadata Files:
- Readme: README.rst
- Changelog: CHANGELOG
- License: LICENSE
- Authors: AUTHORS
Lists
- awesome-django-security - Django Session Security
- awesome-django-security - Django Session Security
- awesome-stars - yourlabs/django-session-security - A little javascript and middleware work together to ensure that the user was active during the past X minutes in any tab he has open. Otherwise, display a warning leaving a couple of minutes to show a (Python)
README
.. image:: https://img.shields.io/pypi/v/django-session-security.svg
:target: https://pypi.python.org/pypi/django-session-security
:alt: Latest version
.. image:: https://github.com/yourlabs/django-session-security/actions/workflows/tests.yml/badge.svg
:target: https://github.com/yourlabs/django-session-security/actions
:alt: Unit tests
.. image:: https://readthedocs.org/projects/django-session-security/badge/?version=latest
:target: https://django-session-security.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Status
.. image:: https://img.shields.io/pypi/pyversions/django-session-security.svg?style=flat-square
:target: https://pypi.python.org/pypi/django-session-security/
:alt: Supported python versions
.. image:: https://img.shields.io/pypi/l/django-session-security.svg?style=flat-square
:target: https://github.com/yourlabs/django-session-security/blob/master/LICENSE
:alt: License
Supported python versions
Python 3.8, 3.9, 3.10
Supported django versions
Django 1.8, 1.9, 1.10, 1.11, 2.2, 3.2, 4.0, 4.1
A little javascript and middleware work together to ensure that the user was
active during the past X minutes in any tab he has open.
Otherwise, display a warning leaving a couple of minutes to show any kind of
activity like moving the mouse. Otherwise, logout the user.
Documentation
-------------
https://django-session-security.readthedocs.io/
About
-----
This app provides a mechanism to logout inactive authenticated users. An
inactive browser should be logged out automatically if the user left his
workstation, to protect sensitive data that may be displayed in the browser. It
may be useful for CRMs, intranets, and such projects.
For example, if the user leaves for a coffee break, this app can force logout
after say 5 minutes of inactivity.
Why not just set the session to expire after X minutes ?
--------------------------------------------------------
Or "Why does this app even exist" ? Here are the reasons:
- if the user session expires before the user is done reading a page: he will
have to login again.
- if the user session expires before the user is done filling a form: his work
will be lost, and he will have to login again, and probably yell at you, dear
django dev ... at least I know I would !
This app allows to short circuit those limitations in session expiry.
How does it work ?
------------------
When the user loads a page, SessionSecurity middleware will set the last
activity to now. The last activity is stored as datetime
in ``request.session['_session_security']``. To avoid having the middleware
update that last activity datetime for a URL, add the url to
``settings.SESSION_SECURITY_PASSIVE_URLS``.
When the user moves mouse, click, scroll or press a key, SessionSecurity will
save the DateTime as a JavaScript attribute. It will send the number of seconds
since when the last user activity was recorded to PingView, next time it should
ping.
First, a warning should be shown after ``settings.SESSION_SECURITY_WARN_AFTER``
seconds. The warning displays a text like "Your session is about to expire,
move the mouse to extend it".
Before displaying this warning, SessionSecurity will upload the time since the
last client-side activity was recorded. The middleware will take it if it is
shorter than what it already has - ie. another more recent activity was
detected in another browser tab. The PingView will respond with the number of
seconds since the last activity - all browser tab included.
If there was no other, more recent, activity recorded by the server: it will
show the warning. Otherwise it will update the last activity in javascript from
the PingView response.
Same goes to expire after ``settings.SESSION_SECURITY_EXPIRE_AFTER`` seconds.
Javascript will first make an ajax request to PingView to ensure that another
more recent activity was not detected anywhere else - in any other browser tab.
Note to SSO (single sign-on) users
----------------------------------
By default, this package reloads the current page after timeout, prompting a
user to log back into the application to resume where they left off. When
using SSO, however, this can produce confusing behavior. For example, if the
SSO session is still alive, a user may by automatically logged back into the
application.
To avoid this behavior, some users (c.f. issue #93) want the timeout to end the
SSO login as well. On a properly configured application, this will happen if
you set ``settings.SESSION_SECURITY_REDIRECT_TO_LOGOUT`` to `True`. When the
timeout is reached, users will be redirected to the application's logout page
configured at ``settings.LOGOUT_REDIRECT_URL``.
**Please note that this is not an adequate security model. If a user closes
the browser page before logging out, this setting will have no effect on the
SSO session.** At minimum, a similar timeout should be added to the SSO server
for users on "public machines" to ensure the SSO session is also timed out.
Requirements
------------
- Python 3.8+
- jQuery 1.7+
- Django 3.2 to 4.0
- django.contrib.staticfiles or #YoYo
Resources
---------
You could subscribe to the mailing list ask questions or just be informed of
package updates.
- `Git graciously hosted
`_ by `GitHub
`_,
- `Documentation graciously hosted
`_ by `Read the Docs
`_,
- `Package graciously hosted
`_ by `PyPi
`_,
- `Mailing list graciously hosted
`_ by `Google
`_
- For **Security** issues, please contact [email protected]
- `Continuous integration graciously hosted
`_ by `GitHub
`_
- `Continuous integration historically hosted
`_ by `Travis-ci
`_