WIP: active-sessions #93586

Oleg-Komarov · 2024-07-26T12:43:35+02:00

Oleg-Komarov commented

2024-07-26 12:43:35 +02:00

Motivation

A user needs to know how their account is being accessed/used.
At the very minimum, we need to display information about recent sign-ins and active sessions.

This PR adds a new "Active Sessions" page that lists existing sessions linked to a user, with an option to terminate a particular session.

Implementation

Builtin django sessions are lacking some essential features:

it's impossible to efficiently list all sessions belonging to a user
there is no record of created_at/loggedin_at for a session

There are a few possible solutions to this:

add a cross table bid_main_user_session that would link to both django_session and bid_main_user tables, and also have info about sign-in timestamp, IP and User-Agent.
one downside is that django_session pk is a rather wide, varchar(40) column, and all session deletes need to cascade to the new bid_main_user_session table via a FK constraint. this concern may be immaterial
an upside is that the core functionality of sessions is not affected, and the cross-table can be easily extended for any future needs (e.g. if we decide to keep track of terminated sessions, recording their sign-out timestamp).
use a fork/extension of the builtin session implementation:
- https://github.com/jazzband/django-user-sessions is relatively popular, but is lacking created_at field, and hasn't been released in a while, although seems to be maintained (has recent commits)
- https://github.com/QueraTeam/django-qsessions/ is a fork of django-user-sessions, and seems to be maintained. One wart is that it exposes session_keys in admin, but that admin page can be removed.
write our own fork

For now I am deliberating between a cross table and django-qsessions.

Switching to a different table drops logged-in state for all users.
We can populate the new table using the idea from https://github.com/jazzband/django-user-sessions/blob/master/user_sessions/management/commands/migratesessions.py but we won't have info about User-Agent, IP and create_at timestamp for old sessions (which is probably acceptable).

Deploy notes

After deploy run:

manage.py download_geoip_db -k mykey

## Motivation A user needs to know how their account is being accessed/used. At the very minimum, we need to display information about recent sign-ins and active sessions. This PR adds a new "Active Sessions" page that lists existing sessions linked to a user, with an option to terminate a particular session. ## Implementation Builtin django sessions are lacking some essential features: - it's impossible to efficiently list all sessions belonging to a user - there is no record of created_at/loggedin_at for a session There are a few possible solutions to this: - add a cross table `bid_main_user_session` that would link to both `django_session` and `bid_main_user` tables, and also have info about sign-in timestamp, IP and User-Agent. one downside is that `django_session` pk is a rather wide, varchar(40) column, and all session deletes need to cascade to the new `bid_main_user_session` table via a FK constraint. this concern may be immaterial an upside is that the core functionality of sessions is not affected, and the cross-table can be easily extended for any future needs (e.g. if we decide to keep track of terminated sessions, recording their sign-out timestamp). - use a fork/extension of the builtin session implementation: - https://github.com/jazzband/django-user-sessions is relatively popular, but is lacking created_at field, and hasn't been released in a while, although seems to be maintained (has recent commits) - https://github.com/QueraTeam/django-qsessions/ is a fork of django-user-sessions, and seems to be maintained. One wart is that it exposes session_keys in admin, but that admin page can be removed. - write our own fork For now I am deliberating between a cross table and django-qsessions. Switching to a different table drops logged-in state for all users. We can populate the new table using the idea from https://github.com/jazzband/django-user-sessions/blob/master/user_sessions/management/commands/migratesessions.py but we won't have info about User-Agent, IP and create_at timestamp for old sessions (which is probably acceptable). ### Deploy notes After deploy run: `manage.py download_geoip_db -k mykey`

Oleg-Komarov added 2 commits 2024-07-26 12:43:36 +02:00

wip f6cdaa33e7

add test 8b835ab870

Oleg-Komarov added 1 commit 2024-07-26 15:49:58 +02:00

new_user_session email when logging in from a new IP d81974815a

Oleg-Komarov force-pushed active-sessions from d81974815a to 7cb8ed2b79

2024-07-26 16:03:09 +02:00

Compare

Oleg-Komarov force-pushed active-sessions from 7cb8ed2b79 to b52564fb36

2024-07-26 17:18:05 +02:00

Compare

Oleg-Komarov commented