[Python-modules-commits] [django-session-security] 09/16: Require SESSION_EXPIRE_AT_BROWSER_CLOSE
Jean-Michel Vourgère
nirgal at moszumanska.debian.org
Tue Sep 13 17:04:16 UTC 2016
This is an automated email from the git hooks/post-receive script.
nirgal pushed a commit to branch debian/sid
in repository django-session-security.
commit 161788fdd88d4a6fac7dd171842f8787feeb035f
Author: jpic <jamespic at gmail.com>
Date: Wed Aug 17 14:14:57 2016 +0200
Require SESSION_EXPIRE_AT_BROWSER_CLOSE
Unless SESSION_SECURITY_INSECURE=True, SESSION_EXPIRE_AT_BROWSER_CLOSE
must be True.
---
session_security/settings.py | 28 ++++++++++++++++++++--------
session_security/tests/project/settings.py | 1 +
test_project/test_project/settings.py | 1 +
3 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/session_security/settings.py b/session_security/settings.py
index 230d58e..9fe1708 100644
--- a/session_security/settings.py
+++ b/session_security/settings.py
@@ -16,13 +16,12 @@ PASSIVE_URLS
it should not be used to update the user's last activity datetime.
Overridable in ``settings.SESSION_SECURITY_PASSIVE_URLS``.
-Note that this module will raise a warning if
-``settings.SESSION_EXPIRE_AT_BROWSER_CLOSE`` is not True, because it makes no
-sense to use this app with ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` to False.
+SESSION_SECURITY_INSECURE
+ Set this to True in your settings if you want the project to run without
+ having to set SESSION_EXPIRE_AT_BROWSER_CLOSE=True, which you should
+ because it makes no sense to use this app with
+ ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` to False.
"""
-
-import warnings
-
from django.conf import settings
__all__ = ['EXPIRE_AFTER', 'WARN_AFTER', 'PASSIVE_URLS']
@@ -33,5 +32,18 @@ WARN_AFTER = getattr(settings, 'SESSION_SECURITY_WARN_AFTER', 540)
PASSIVE_URLS = getattr(settings, 'SESSION_SECURITY_PASSIVE_URLS', [])
-if not getattr(settings, 'SESSION_EXPIRE_AT_BROWSER_CLOSE', False):
- warnings.warn('settings.SESSION_EXPIRE_AT_BROWSER_CLOSE is not True')
+expire_at_browser_close = getattr(
+ settings,
+ 'SESSION_EXPIRE_AT_BROWSER_CLOSE',
+ False
+)
+force_insecurity = getattr(
+ settings,
+ 'SESSION_SECURITY_INSECURE',
+ False
+)
+
+if not (expire_at_browser_close or force_insecurity):
+ raise Exception(
+ 'Enable SESSION_EXPIRE_AT_BROWSER_CLOSE or SESSION_SECURITY_INSECURE'
+ )
diff --git a/session_security/tests/project/settings.py b/session_security/tests/project/settings.py
index def47de..4dc0b9f 100644
--- a/session_security/tests/project/settings.py
+++ b/session_security/tests/project/settings.py
@@ -115,3 +115,4 @@ STATIC_URL = '/static/'
SESSION_SECURITY_EXPIRE_AFTER=10
SESSION_SECURITY_WARN_AFTER=5
+SESSION_EXPIRE_AT_BROWSER_CLOSE=True
diff --git a/test_project/test_project/settings.py b/test_project/test_project/settings.py
index 6e123d4..f61f1ac 100644
--- a/test_project/test_project/settings.py
+++ b/test_project/test_project/settings.py
@@ -163,6 +163,7 @@ INSTALLED_APPS = (
SESSION_SECURITY_EXPIRE_AFTER=10
SESSION_SECURITY_WARN_AFTER=5
+SESSION_EXPIRE_AT_BROWSER_CLOSE=True
# A sample logging configuration. The only tangible logging
# performed by this configuration is to send an email to
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/django-session-security.git
More information about the Python-modules-commits
mailing list