Redirect after login to the page of the previous user

[rtubio]

After a session is closed due to inactivity for "user-A" and if "user-B" logs in from the same navigator, the middleware redirects the new session for "user-B" to the last page that "user-A" was using. In my opinion, settings.REDIRECT_URL must be used for redirecting in this case.

[jpic]

Nice report, thanks !

[rtubio]

If I have some time along this week, I will try to go deeper in the code and see if I can help. This is an issue that it is happening to me during development, since I am testing my website with two different users (staff and regular user) at a time.

[rtubio]

Hi again,

I have taken a look at django-session-security's middleware.py and you are calling "logout" from "django.contrib.auth.init.py" instead of "logout" from "django.contrib.auth.views.py". I noticed that "logout" from "django.contrib.auth.views.py" has additional features which, however, had no effect on solving this issue. I would just like to know if there is any reason for using "logout" from "init.py" rather than from "views.py".

[jpic]

Actually, the logout view uses the logout function.

We're calling the logout function directly because we're in a middleware.

If we were to redirect to a logout url, then we would redirect to the logout view.

Do you understand ?

[jpic]

Is this issue critical for you ? If so I will make it a priority, I assumed that it was not critical.

[rtubio]

Ok, thanks for the explanation. That was what I had in mind before asking you, I just preferred to ask rather than making a mistake. I was taking a look both at your code and at django.contrib.auth and I think that this issue might be more related with the latter project.

In this project, whenever logout is invoked by security_session, user data is erased from the 'request' object but a reference to the page that the user is currently viewing is kept. When "login" is invoked again, there is no reference with which to compare the new user and the previous one, so that the last page used by the user that was already logged out, is used for redirection with the credentials of the new one.

As you may realize, this problem will only appear when a user leaves his session open in a computer and another one comes, tries to use that session, and logs in again within the same navigator. This might not be something that happens very often, but in my opinion may be somehow important.

[jpic]

Well, it's doing what it was designed for: when the user logs it bring him back to the place he was before.

What happens exactly is:

• yourlabs.SessionSecurity from script.js runs SessionSecurity.ping() periodically, it reports how much time has elapsed since it had client-side activity to PingView,
• in return, PingView returns how much time has elapsed since there has been any activity reported from all clients (all browsers tabs), the lowest is kept of course,
• the response is processed by yourlabs.SessionSecurity.pong() which updates the last activity of this client, then calls yourlabs.SessionSecurity.apply() which finds out that an amount of inactive time is superior to the expiration setting, so it calls yourlabs.SessionSecurity.expire(),
• yourlabs.SessionSecurity.expire() just does window.location.reload(),
• when SessionSecurityMiddleware.process_request() learns that the page should be loaded and that the session should have expired: it calls logout().

This means that:

• you are on /admin/auth/user/,
• your session expire, yourlabs.SessionSecurity requests a page reload,
• you load /admin/auth/user/ again, but the middleware logs you out and you are presented the login form.

At no moment django-session-security does a redirect. That's the problem: the browser sits on the same page no matter what physical person is on the keyboard.

[rtubio]

Yes, for sure: you are absolutely right! The redirection is made by the middleware from django.contrib.auth, not by django-session-security; however, that redirection affects to the behavior of the whole application.

[jpic]

I don't see any redirection at all ;)

• you are on /admin/auth/user,
• script.js decides that your session has expired, it reloads /admin/auth/user,
• on the way, the middleware decides to log you out,
• /admin/auth/user is rendered, but you have been logged out.

[jpic]

I wasn't clear on "logout". The middleware calls this logout function from django: https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L96

As you can see, it does not do a redirect. By "logout" I mean that:

 request.user = AnonymousUser()

No redirect. The same page loads, but with request.user = AnonymousUser(), hence the login form on the same url.

Hope this helps

Let me know if you have any question

Sincerly