Skip to content

✨ Keep session cookie during 5 days #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Keep session cookie during 5 days #993

wants to merge 1 commit into from

Conversation

ZouicheOmar
Copy link
Contributor

This PR adresses issue #928.

Purpose

Extend the user session to last 5 days

Proposal

Add django-lasuite session refresh, which already implements
OIDC token refresh and default SESSION_COOKIE_AGE to 5 days.

  • ✨(backend) extend user session to 5 days
  • 📝(doc) update session refresh configuration

@ZouicheOmar
✨(backend) extend user session to 5 days
63b7113 
Integrate `django-lasuite.middleware.RefreshOIDCAccesToken` to support
a longer user session.

Done:
- Update `SESSION_COOKIE_AGE` to default to 5 days.
- Update app's OIDC settings to store access, refresh and
	refresh token key in session.
- Modified `OIDCAuthenticationBackend` to include a
	'oidc_token_expiration' used by the refresh session
	middleware.
- The refresh session middleware checks against
	'oidc_token_expiration' in order to proceed for a refresh
	request with the IdP. Make sure 'oidc_token_expiration'
	gets updated on successful refresh requests. This will
	prevent the middleware to perform a token refresh on each
	user request after the first expiration occurs.
- Add tests to cover the refresh session case.

Signed-off-by: ZouicheOmar <[email protected]>
@ZouicheOmar
Copy link
Contributor Author

As django-lasuite already implements a token refresh middleware, thought it would be a good fit, but with a couple changes; the middleware decides to do a refresh request by checking againts a oidc_token_expiration field that is supposed to be in the request's associated session, so I've added it in OIDCAuthenticationBackend. Second change is by updating the oidc_token_expiration if a refresh is successful, and that is to prevent a refresh request to be sent on each consequent user request, which could be overkill, maybe and unecessary roundtrip and could probably cause bugs.

@lunika lunika requested a review from qbey May 22, 2025 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qbey qbey Awaiting requested review from qbey

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ZouicheOmar