Since we're not storing any credit card numbers, set the login to never expire.
Sounds great to me. Can anybody think of a reason not to?
Go for it!
My personal opinion of course.
It would be nice if access to the admin would require you to enter your password again, especially for superusers. It's the only part of the site where damage could be potentially done (getting access to pretty much the entire database + worse case of 24 hours of lost data). Although, hopefully all admins have their computers locked down.
(In reply to comment #4) > It would be nice if access to the admin would require you to enter your > password again, especially for superusers. It's the only part of the site > where damage could be potentially done (getting access to pretty much the > entire database + worse case of 24 hours of lost data). Although, hopefully > all admins have their computers locked down. If you can find a way to do that, maybe as part of AdminPlus, I'd love to see it. I don't know of any way to enforce that in Django, or any concept of "re-authenticating" an authenticated session.
We could set the default session timeout to unlimited, and then perhaps write some kind of middleware that checks if the user's an admin, and if it is, use request.session.set_expiry() to update their session to have a shorter timeout? Hooray for Google searches. I don't know how much overhead that may add though.
Let's leave that for a follow up and just turn off SESSION_EXPIRE_AT_BROWSER_CLOSE and set SESSION_COOKIE_AGE to a month or so. (If we leave it too high, the database will fill up with abandoned sessions.)
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Verified login persists- nice change!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.