3060 active user session (#3182)

* no change * lok into token * Added a custom session handler instead of signed_sessions * Update common.py * Update README.md * added a new settings * 3060 linting * 3060 linting * 3060 remove unused params * 3060 uncommented SIGNED_COOKIE_EXPIRES * 3060 update markdown * disable session expire at browser close * remove unused overrides * corrected the timeouts --------- Co-authored-by: Alex P. <63075587+ADPennington@users.noreply.github.com>
raft-tech · Oct 16, 2024 · 34fb345 · 34fb345
1 parent ccb07cc
commit 34fb345
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 6 deletions.
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -5,7 +5,7 @@ tasks:
   upload-kibana-objs:
     desc: Upload dashboards to Kibana server
     cmds:
-      - curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@tdrs-backend/tdpservice/search_indexes/kibana_saved_objs.ndjson
+      - 'curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@tdrs-backend/tdpservice/search_indexes/kibana_saved_objs.ndjson'
 
   create-network:
     desc: Create the external network

diff --git a/tdrs-backend/docs/session-management.md b/tdrs-backend/docs/session-management.md
@@ -11,7 +11,7 @@ When the user logs in, they will receive an HttpOnly cookie with no `Expires=` s
 SESSION_EXPIRE_AT_BROWSER_CLOSE=True
 ```
 
-The cookie itself contains a `sessionid` reference to a Django-managed session. The session expiration is set to the same expiration of the login.gov-provided jwt, **15 minutes**.
+The cookie itself contains a `sessionid` reference to a Django-managed session. By deafult, the session expiration is set to the same expiration of the login.gov-provided jwt, **15 minutes**. Since `sessionid` is being signed when created, it not possible to update the expiry without decoding and recreating the signature, so the session expires even though the cookie is being extended with every request. Thus, in order to overcome this shortcoming, a longer expiry is being assigned to `sessionid` using a new variable `SIGNED_COOKIE_EXPIRES` in common settings.
 
 This is managed in `tdrs-backend/tdpservice/settings/common.py` with the following setting:
 ```python

diff --git a/tdrs-backend/tdpservice/core/custom_session_engine.py b/tdrs-backend/tdpservice/core/custom_session_engine.py
@@ -0,0 +1,34 @@
+"""Custom session engine for TDP."""
+
+from django.contrib.sessions.backends import signed_cookies
+from django.core import signing
+import datetime
+from django.conf import settings
+
+class SessionStore(signed_cookies.SessionStore):
+    """Custom session engine for TDP."""
+
+    def __init__(self, session_key=None):
+        """Initialize the custom session engine."""
+        super().__init__(session_key)
+
+    def load(self):
+        """Load the session data from the database."""
+        """
+        Load the data from the key itself instead of fetching from some
+        external data store. Opposite of _get_session_key(), raise BadSignature
+        if signature fails.
+        """
+
+        try:
+            return signing.loads(
+                self.session_key,
+                serializer=self.serializer,
+                # This doesn't handle non-default expiry dates, see #19201
+                max_age=datetime.timedelta(seconds=settings.SIGNED_COOKIE_EXPIRES),
+                salt="django.contrib.sessions.backends.signed_cookies",
+            )
+        except Exception:
+            # BadSignature, ValueError, or unpickling exceptions. If any of
+            # these happen, reset the session.
+            return {}
diff --git a/tdrs-backend/tdpservice/data_files/admin/admin.py b/tdrs-backend/tdpservice/data_files/admin/admin.py
@@ -1,7 +1,6 @@
 """Admin class for DataFile objects."""
 from django.contrib import admin
 from tdpservice.core.utils import ReadOnlyAdminMixin
-# from tdpservice.core.filters import custom_filter_title
 from tdpservice.data_files.models import DataFile, LegacyFileTransfer
 from tdpservice.parsers.models import DataFileSummary, ParserError
 from tdpservice.data_files.admin.filters import LatestReparseEvent, VersionFilter

diff --git a/tdrs-backend/tdpservice/settings/common.py b/tdrs-backend/tdpservice/settings/common.py
@@ -281,10 +281,11 @@ class Common(Configuration):
     )
 
     # Sessions
-    SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
+    SESSION_ENGINE = "tdpservice.core.custom_session_engine"
+    SIGNED_COOKIE_EXPIRES = 60 * 60 * 12  # 12 hours
     SESSION_COOKIE_HTTPONLY = True
-    SESSION_EXPIRE_AT_BROWSER_CLOSE = True
-    SESSION_COOKIE_AGE = 15 * 60  # 15 minutes
+    SESSION_SAVE_EVERY_REQUEST = True
+    SESSION_COOKIE_AGE = 60 * 30  # 30 minutes
     # The CSRF token Cookie holds no security benefits when confined to HttpOnly.
     # Setting this to false to allow the frontend to include it in the header
     # of API POST calls to prevent false negative authorization errors.