You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When there are concurrent sessions held by the same user on differente devices the first which logs-out also marks the time on the latter.
To Reproduce
Steps to reproduce the behavior:
Configure AXES using AxesDatabaseHandler (the default one)
Create a user
Log in with that user using a browser
Log in with that user using a different browser (or incognito mode)
<repeat step 3 with other browser/client if needed>
Log out from one of the active browsers
Now every AccessLog for that user has the same logout_time, even those for which there is still an active session. It is not possible to update access-logs for those records.
Expected behavior
Every session for a single user should be related to a single AccessLog, to enable a correct tracking of the user.
Your environment
python version: 3.10
django version: 4.2
django-axes version:
Operating system: Linux
Possible implementation
It would be advisable to have an other optional field on AccessLog which can be a digest of the current session-id.
This could also be used as a method do detect whenever an access "expires" without log-off.
The reason for not using a FK to session is:
it is not secure since the PK of session usually is the session-id which must be kept secret and hard to find (if possible)
already username is not a real FK to user but just simple column
The text was updated successfully, but these errors were encountered:
Describe the bug
When there are concurrent sessions held by the same user on differente devices the first which logs-out also marks the time on the latter.
To Reproduce
Steps to reproduce the behavior:
AxesDatabaseHandler
(the default one)Now every
AccessLog
for that user has the samelogout_time
, even those for which there is still an active session. It is not possible to update access-logs for those records.django-axes/axes/handlers/database.py
Lines 319 to 321 in fd9d185
Expected behavior
Every session for a single user should be related to a single
AccessLog
, to enable a correct tracking of the user.Your environment
python version: 3.10
django version: 4.2
django-axes version:
Operating system: Linux
Possible implementation
It would be advisable to have an other optional field on
AccessLog
which can be a digest of the current session-id.This could also be used as a method do detect whenever an access "expires" without log-off.
The reason for not using a FK to session is:
username
is not a real FK to user but just simple columnThe text was updated successfully, but these errors were encountered: