django-session-security

2.6.8 verified Fri May 01 auth: no python maintenance

Provides client- and server-side session timeout enforcement with configurable warnings. v2.6.8 requires Python >=3.10 and Django >=3.2. Maintenance branch with infrequent releases.

pip install django-session-security

Common errors

error django.core.exceptions.ImproperlyConfigured: The SESSION_SECURITY_EXPIRE_AFTER setting must be an integer. ↓

cause The setting is missing or set to a non-int value.

fix

Add SESSION_SECURITY_EXPIRE_AFTER = 600 (or another integer) in settings.

error ImportError: cannot import name 'SessionSecurityMiddleware' from 'session_security' ↓

cause Wrong import path.

fix

Use from session_security.middleware import SessionSecurityMiddleware.

error django.core.checks.W001: session_security.SessionSecurityMiddleware not found in MIDDLEWARE in the correct position. ↓

cause Middleware is missing or in wrong order.

fix

Add 'session_security.middleware.SessionSecurityMiddleware' after AuthenticationMiddleware and before SessionMiddleware.

Warnings

breaking Removed support for the legacy `SESSION_EXPIRE_AT_BROWSER_CLOSE` setting. Session expiry is now controlled solely by `SESSION_SECURITY_EXPIRE_AFTER`. ↓

fix Use `SESSION_SECURITY_EXPIRE_AFTER` instead of legacy setting.

deprecated The `session_security.decorators` module (e.g., `@session_security_disabled`) is deprecated and will be removed in v3.0. ↓

fix Use mixin-based approach: `from session_security.views import SessionSecurityMixin`.

gotcha If using Django's `SILENCED_SYSTEM_CHECKS`, adding `'session_security.W001'` will suppress the middleware position check — but doing so without proper middleware order will cause session expiry to not trigger. ↓

fix Ensure `SessionSecurityMiddleware` is placed after `AuthenticationMiddleware` and before `SessionMiddleware`.

Imports

SessionSecurityMiddleware

wrong

from session_security import SessionSecurityMiddleware

correct

from session_security.middleware import SessionSecurityMiddleware

Middleware is in the middleware submodule, not the package root.

SessionSecurityMixin

from session_security.views import SessionSecurityMixin

Quickstart

Add app and middleware to settings. Run manage.py migrate if using the model backend.

INSTALLED_APPS = [
    ...
    'session_security',
]

MIDDLEWARE = [
    'session_security.middleware.SessionSecurityMiddleware',
    ...
]

# Optional settings
SESSION_SECURITY_EXPIRE_AFTER = 600  # seconds
SESSION_SECURITY_WARN_AFTER = 540    # seconds
SESSION_SECURITY_PASSIVE_URLS = []