Overview

Django Expire

A Django application which provides authentication-based session expiration.

To install this application into your project, first add it to your INSTALLED_APPS setting (and run manage.py syncdb):

INSTALLED_APPS = (
    ...
    'django_expire',
)

Next, add the expiration middleware to your MIDDLEWARE_CLASSES setting, placing it after both the session and auth middleware.:

MIDDLEWARE_CLASSES = (
    ...
    'django_expire.middleware.ExpireMiddleware',
)

What it does

For every request by an authenticated user, a check is run to ensure the number of other sessions also belonging to the user does not exceed the allowed maximum.

This maximum defaults to 1, but you can provide a EXPIRE_MAX_USERS setting to override this default (a setting of 0 allows an unlimited amount of users per session).

If a user has exceeded the number of sessions they are allowed, the excessive sessions are removed (effectively logging the user out of these now invalidated sessions).

Logged sessions

A log of each session is stored in the django_expire.models.LoggedSession model.

Invalidated sessions are not removed from the database by default so you can use this model to retrieve login information (for example, date/time and IP address).

Use the EXPIRE_LOG_LIMIT setting to set a limit of expired session logs to retain for each user (you can use 0 to delete expired session logs straight away or None for no limit).

Changing expiration settings per user

The django_expire.signals.expire_check allows you to change the expiration settings at a per-user level.

The signal is sent before any tests are run, along with a settings dictionary containing a single max_users key. Signal handlers may change the value of the dictionary to alter the settings for this user.

An example handler (which is not automatically connected) can be found in django_expire.signals.superuser_handler which demonstrates allowing superusers an unlimited number of sessions.