Am/feature inactivity timeout

install.py

@@ -116,7 +116,10 @@ def create_environment_json(path):
     "static": "static_root",
     "secret-key": secret_key,
     "test_visible": False,
-    "debug": True
+    "debug": True,
+    "session_security_expire_at_browser_close" : True,
+    "session_security_warn_after" : 1200,
+    "session_security_expire_after" : 1800
     }
     # Create local directory
     if not os.path.exists('local'):

requirements.in

@@ -88,3 +88,6 @@ markupsafe==1.1.1 # BSD 3
 
 # Excel exports
 openpyxl # MIT License
+
+# Session timeout & security
+django-session-security

siteapp/settings.py

@@ -8,6 +8,7 @@
 import os, os.path, json
 from platform import uname, system
 from django.core.exceptions import ValidationError
+#from system_settings.models import SystemSettings
 # What's the name of the app containing this file? That determines
 # the module for the main URLconf etc.
 primary_app = os.path.basename(os.path.dirname(__file__))
@@ -98,6 +99,7 @@ def make_secret_key():
 	'django.contrib.messages',
 	'django.contrib.humanize',
 	'django.contrib.admindocs',
+	'session_security',
 
 ]
 THIRD_PARTY_APPS = [
@@ -141,6 +143,7 @@ def make_secret_key():
 	'simple_history.middleware.HistoryRequestMiddleware',
 	'pyinstrument.middleware.ProfilerMiddleware',
 	#'django.middleware.cache.FetchFromCacheMiddleware',
+	'session_security.middleware.SessionSecurityMiddleware',
 ]
 # The cache connection to use for the cache middleware.
 #CACHE_MIDDLEWARE_ALIAS='default'
@@ -403,6 +406,17 @@ def make_secret_key():
 SECURE_CONTENT_TYPE_NOSNIFF = True
 X_FRAME_OPTIONS = 'DENY' # don't allow site to be embedded in iframes
 
+# Session security and inactivity timeout. Logout user after certain period of inactivity.
+# By default user is warned at 20 minutes that session is about to expire and if user does not perform any mouse/keyboard activity
+# the session expires 10 minutes later (total of 30 minutes).
+warn_after = 85800
+expire_after = 86400
+expire_at_browser_close = True
+
+SESSION_EXPIRE_AT_BROWSER_CLOSE = environment['session_security_expire_at_browser_close'] if not DEBUG else expire_at_browser_close
+SESSION_SECURITY_WARN_AFTER = environment['session_security_warn_after'] if not DEBUG else warn_after
+SESSION_SECURITY_EXPIRE_AFTER = environment['session_security_expire_after'] if not DEBUG else expire_after
+
 # Put static files in the virtual path "/static/". When the "static"
 # environment setting is present, then it's a local directory path
 # where "collectstatic" will put static files.

siteapp/tests.py

@@ -22,6 +22,7 @@
 from django.test.client import RequestFactory
 
 import selenium.webdriver
+from selenium.webdriver.remote.command import Command
 from django.urls import reverse
 from selenium.common.exceptions import WebDriverException
 from django.contrib.auth.models import Permission
@@ -259,6 +260,9 @@ def test_supportpage_customize(self):
         self.assertInNodeText("support@govready.com", "#support_content")
 
 class LandingSiteFunctionalTests(SeleniumTest):
+    def setUp(self):
+        super().setUp()
+
     def test_homepage(self):
         self.browser.get(self.url("/"))
         self.assertRegex(self.browser.title, "Welcome to Compliance Automation")
@@ -499,6 +503,14 @@ def test_static_pages(self):
         wait_for_sleep_after(lambda: self.browser.get(self.url("/love-assessments")))
         wait_for_sleep_after(lambda: self.assertRegex(self.browser.title, "Love Assessments"))
 
+    def test_session_timeout(self):
+        self._login()
+        ping_url = self.url("/session_security/ping/?idleFor=0")
+        response = self.client_get(ping_url)
+        #self.browser.get(ping_url)
+        self.assertTrue(response.status_code==200)
+        self.assertTrue(response.content==b'0')
+
     def test_simple_module(self):
         # Log in and create a new project and start its task.
         self._login()

siteapp/urls.py

@@ -122,6 +122,7 @@
     url(r'^tags/_save$', views.create_tag),
     url(r'^tags/(\d+)/_delete$', views.delete_tag),
     url(r'^tags/$', views.list_tags),
+    url(r'session_security/', include('session_security.urls')),
 ]
 
 if 'django.contrib.auth.backends.ModelBackend' in settings.AUTHENTICATION_BACKENDS:

templates/base.html

@@ -183,7 +183,7 @@ <h4 class="modal-title" id="invitation_modal_title">...</h4>
     }
     </script>
     {% endif %}
-
+    {% include 'session_security/all.html' %}
     {% block scripts %}
     {% endblock %}
     </body>