Feature proposal: hijack expiration #374
Comments
|
Hi @jonkiparsky, Thank you for reaching out. I understand where you and your users are coming from. Sadly, implementing this isn't an easy feed. Expiration is always tricky, but here we have to contemplate various security implications as well. For example, how would we notify the user that the hijack has expired, and they are now surfing as themselves? Currently, this requires deliberate action. Besides the security implications, this would require some braking changes in our API, which isn't a problem. However, add a lot of code for a single feature is. The bigger this package gets, the harder it becomes to ensure excellent security. Bottom line, I'd love to keep this issue open and have people up vote this. Should it gain enough community support, I'd be happy to have you contribute this feature. Sounds fair? Best, |
|
Sounds fair, thanks for the feedback. |
My org is using django-hijack to allow staff to masquerade as users. We've noticed that our staff users sometimes forget to release the hijack when they're done, and there's been a request to automatically release the hijack after a set time has elapsed. Reviewing the documentation, I see no provision for such a feature.
More precisely, I'd like to add a setting
HIJACK_TIMEOUT_SECONDS, defaulting to None. If the setting has a non-null value, that value is the number of seconds from start of hijack before automatic release of the user. Typical value expected to be on the order of six hours.Is this a feature that the django-hijack maintainers would be interested in seeing? If so, we'd be happy to make the changes as a modification of django-hijack and offer up a pull request.
Please click 👍 if you'd like to see this feature implemented
The text was updated successfully, but these errors were encountered: