Hey there,
I just had quite a bit of trouble debugging a tricky issue where /some/ of my users were getting logged out just an hour or so after logging in.
After some digging, I learned that the issue was mostly effecting google-oauth2 users.
Finally, I noticed that the issue was the default setting for SOCIAL_AUTH_SESSION_EXPIRATION, which was /overriding/ the SESSION_COOKIE_AGE setting to make user sessions only last as long as the token from the auth provider. In the case of google-oauth2, this is just an hour or so. It was quite confusing that even though I had django setting for SESSION_COOKIE_AGE (set to 1 year), this setting was not being honored.
So I suggest that the /default/ behavior should be to respect SESSION_COOKIE_AGE, with the /option/ to favor the auth provider's 'expires' header.
Happy to write a pull request if project maintainers agree. Thanks!
Hey there,
I just had quite a bit of trouble debugging a tricky issue where /some/ of my users were getting logged out just an hour or so after logging in.
After some digging, I learned that the issue was mostly effecting google-oauth2 users.
Finally, I noticed that the issue was the default setting for SOCIAL_AUTH_SESSION_EXPIRATION, which was /overriding/ the SESSION_COOKIE_AGE setting to make user sessions only last as long as the token from the auth provider. In the case of google-oauth2, this is just an hour or so. It was quite confusing that even though I had django setting for SESSION_COOKIE_AGE (set to 1 year), this setting was not being honored.
So I suggest that the /default/ behavior should be to respect SESSION_COOKIE_AGE, with the /option/ to favor the auth provider's 'expires' header.
Happy to write a pull request if project maintainers agree. Thanks!