Expire the django session

[pushyamig]

A Django session seems to be established once the user login. The session doesn't seems to expire for long time. This might have potential concern for shared computers. TO the minimal the session should expire when browser closes

1. https://docs.djangoproject.com/en/dev/ref/settings/#session-expire-at-browser-close
   SESSION_EXPIRE_AT_BROWSER_CLOSE
   SESSION_COOKIE_AGE
2. https://pypi.org/project/django-session-timeout/

---

Test Plan:

1. Work with a Dev in setting the expiration to small on MyLA instance
2. In Chrome Browser -> settings -> on startup ( in the left nav) -> pick "Open the New Tab page"
3. Quit Chrome
4. Go to DB Client, and look at the django_session table
5. delete from django_session to remove all the session
6. Launch MyLA and look at the new django session created. The session expiry will be set to whatever
   value in the 'SESSION_COOKIE_AGE' with a session_id ( of the browser) as the key of the django_session table.
7. Quit Chrome again, and launch MyLA, A new session id will be created irrespective of expiry before. This is the test for the SESSION_EXPIRE_AT_BROWSER_CLOSE setting.
8. Launch the tool with a shorter SESSION_COOKIE_AGE, quit chrome, launch MyLA. Wait until the session expire and do some activities like going to resource access/Assignment planning etc. The user response will be disturbed.
9. Launch MyLA again, this action starts a new session and things are fine. A new session id will be created in the django_session table

[jennlove-um]

Focus on doing the browser close expiration for this release.

[pushyamig]

I did some research on this SESSION_EXPIRE_AT_BROWSER_CLOSE setting, below is the documentation from Django. So I am not sure if enabling the browser setting will work. I did not test anything and judgment is based on the Django documentation.

Some browsers (Chrome, for example) provide settings that allow users to continue browsing sessions after closing and reopening the browser. In some cases, this can interfere with the [SESSION_EXPIRE_AT_BROWSER_CLOSE](https://docs.djangoproject.com/en/dev/ref/settings/#std-setting-SESSION_EXPIRE_AT_BROWSER_CLOSE) setting and prevent sessions from expiring on browser close. Please be aware of this while testing Django applications which have the [SESSION_EXPIRE_AT_BROWSER_CLOSE](https://docs.djangoproject.com/en/dev/ref/settings/#std-setting-SESSION_EXPIRE_AT_BROWSER_CLOSE) setting enabled.

[jonespm]

There's also this library that looks a little more updated that django-session-timeout

https://github.com/yourlabs/django-session-security

[pushyamig]

I did some testing around SESSION_EXPIRE_AT_BROWSER_CLOSE = True I did not see when the user closes the browser session ( a new browser window is a session ) the session expired. I tested from Chrome, FF, Safari same result from all.

1. A sessionid is created when the user log's in and it is stored in the django_session table with an expiry date of 2 weeks ( based on the default SESSION_COOKIE_AGE setting).
2. You can check this session id going to dev tools Application cookie properties. The Expire/Max-age option is set to Session.
3. If the SESSION_EXPIRE_AT_BROWSER_CLOSE = False the Expire/Max-age = 2 weeks
4. when user logout's out this sessionid is deleted in Django and new id is created with each login.

We might need to think alternative approach like https://github.com/yourlabs/django-session-security

[pushyamig]

Successor issue based on this setting #1414

[jonespm]

I've tested that this is working as described in the test plan. We'll have to see how the user experience is and if we get any complaints about this since there's no user feedback (as mentioned in the #1414 followup) but this should be fine.

Every launch or refresh gets a new 24 hour token.

As mentioned with "Continue where you left off" startup checked the other setting has no effect, which is probably what most people will have.