On Wed, 2009-04-01 at 14:13 -0700, christian.oudard wrote: > I have made a page for admins to set a user account to inactive, but I > noticed that the user's session continues if he is logged in. It > appears that the is_active field is only checked when the user logs > in, not when each request is authenticated.
Terminology point: *Authentication* is what happens when the login check is performed. On subsequent visits, the session tells you that they're already *authorised* -- they aren't re-authenticated. > Is there an easy way to > log a user out when his account is made inactive The difficulty here is that there's no easy way to look up a session based on a user (there could be more than one, too). Sessions are pickled data, indexes only by the session identifier. If you knew the session identifier, you could simply delete that session, but finding the right session to delete requires a full table scan and a bunch of unpickling. > Also, should the > auth system check is_active on every authenticated request, and should > this be considered a bug in the auth app? No. It's up to you to work out what you want to do with is_active, since it varies from application to application. Note that is_active doesn't even prevent you from logging in (as documented). You might want to add some extra middleware to do that check if it's part of your logic flow. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
