I’m working on a site that uses Django 1.2.5. It uses the Django authentication backend to log users in and out. This, in turn, uses the Django session framework to set cookies. It appears that cookies set by Django’s session backend expire after 2 weeks. I’ve gotten complaints from users that they are being logged out of their accounts and have to be log back in, and I suspect this is due to the fact that cookies are expiring after 2 weeks. I have SESSION_COOKIE_AGE to 1 year (i.e, 31556926 seconds) but I don’t know if that’s the best solution to this problem — I’m not sure if it’ll have unintentional side effects.
Is there a way to keep users logged in indefinitely (i.e., keep them logged in until they manually log out)? I haven’t found a setting, but any solution (e.g., middleware or the like) would be acceptable.
The only way to extend session life is through longer-lived cookies. Every other method of user identification (e.g. IP + user-agent) suffers from ambiguity and, therefore, has security issues.