Louis, there is some value in retaining the session past logout. The decision of what session data to keep/destroy is best left to the application. For any application that allows both anonymous and authenticated access, any site settings that you are able to set as an anonymous user (e.g., font size) should be able to persist across logout. Or consider the case of an application that is able to remember your login id in its login form -- that, too, would remain in your session after logout.
-- Scott On Thu, May 29, 2008 at 5:59 AM, Louis Cordier <[EMAIL PROTECTED]> wrote: > > From http://www.djangoproject.com/documentation/sessions/ it follows, > > Clearing the session table > ================= > ... > To understand this problem, consider what happens when a user uses a > session. When a user logs in, Django adds a row to the django_session > database table. Django updates this row each time the session data > changes. If the user logs out manually, Django deletes the row. But if > the user does not log out, the row never gets deleted. > > But in actual fact Django never deletes the row on logout. > > In trunk/django/contrib/auth/__init__.py > > ---8<------------------------------------------------------ > def logout(request): > """ > Remove the authenticated user's ID from the request. > """ > try: > del request.session[SESSION_KEY] > except KeyError: > pass > try: > del request.session[BACKEND_SESSION_KEY] > except KeyError: > pass > if hasattr(request, 'user'): > from django.contrib.auth.models import AnonymousUser > request.user = AnonymousUser() > ---8<------------------------------------------------------ > > It only deletes '_auth_user_id' and '_auth_user_backend' from the > session, but keep the rest in tact. > If a new user logs in with this browser (without closing it first and > thus deleting the session cookie) > the session middleware takes the session cookie and instantiates a > SessionStore with it. > > request.session = engine.SessionStore(session_key) > > This effectivly gives the new user the previous user's (polluted) session. > > An easy fix would be to actually delete the row as stated in the > documentation. > ---8<------------------------------------------------------ > from django.conf import settings > > def logout(request): > try: > > request.session.delete(request.COOKIES[settings.SESSION_COOKIE_NAME]) > except KeyError: > pass > ... > ---8<------------------------------------------------------ > > My questions are: > > * Is there a good reason why the sessions are not cleared at manual logout > ? > * Is there an alternative method of dealing with this situation, > polluted sessions ? > * Is this a bug, should I file a ticket ? > > Regards Louis. > > > > -- http://scott.andstuff.org/ | http://truthadorned.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
