From 26b61aa8131c2bce21be22aa4d00720d6c1326ad Mon Sep 17 00:00:00 2001
From: Adrian Holovaty <adrian@holovaty.com>
Date: Thu, 1 Jun 2006 22:25:06 +0000
Subject: [PATCH] Fixed #395 -- Added SESSION_EXPIRE_AT_BROWSER_CLOSE setting,
 which regulates whether session framework should use browser-session-length
 cookies.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3049 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/conf/global_settings.py        |  1 +
 django/contrib/sessions/middleware.py |  9 +++++++--
 docs/sessions.txt                     | 24 ++++++++++++++++++++++++
 docs/settings.txt                     |  8 ++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 3e9318dfce..e110a50884 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -235,6 +235,7 @@ SESSION_COOKIE_NAME = 'sessionid'         # Cookie name. This can be whatever yo
 SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
 SESSION_COOKIE_DOMAIN = None              # A string like ".lawrence.com", or None for standard domain cookie.
 SESSION_SAVE_EVERY_REQUEST = False        # Whether to save the session data on every request.
+SESSION_EXPIRE_AT_BROWSER_CLOSE = False   # Whether sessions expire when a user closes his browser.
 
 #########
 # CACHE #
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py
index dae8a11554..da1130f560 100644
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -79,9 +79,14 @@ class SessionMiddleware:
         else:
             if modified or settings.SESSION_SAVE_EVERY_REQUEST:
                 session_key = request.session.session_key or Session.objects.get_new_session_key()
+                if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
+                    max_age = None
+                    expires = None
+                else:
+                    max_age = settings.SESSION_COOKIE_AGE
+                    expires = datetime.datetime.strftime(datetime.datetime.utcnow() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")
                 new_session = Session.objects.save(session_key, request.session._session,
                     datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
-                expires = datetime.datetime.strftime(datetime.datetime.utcnow() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE), "%a, %d-%b-%Y %H:%M:%S GMT")
                 response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
-                    max_age=settings.SESSION_COOKIE_AGE, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN)
+                    max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN)
         return response
diff --git a/docs/sessions.txt b/docs/sessions.txt
index b7f16b67b9..2dba491159 100644
--- a/docs/sessions.txt
+++ b/docs/sessions.txt
@@ -197,6 +197,22 @@ will be sent on every request.
 Similarly, the ``expires`` part of a session cookie is updated each time the
 session cookie is sent.
 
+Browser-length sessions vs. persistent sessions
+===============================================
+
+You can control whether the session framework uses browser-length sessions vs.
+persistent sessions with the ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` setting.
+
+By default, ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` is set to ``False``, which
+means session cookies will be stored in users' browsers for as long as
+``SESSION_COOKIE_AGE``. Use this if you don't want people to have to log in
+every time they open a browser.
+
+If ``SESSION_EXPIRE_AT_BROWSER_CLOSE`` is set to ``True``, Django will use
+browser-length cookies -- cookies that expire as soon as the user closes his or
+her browser. Use this if you want people to have to log in every time they open
+a browser.
+
 Settings
 ========
 
@@ -225,6 +241,14 @@ Default: ``'sessionid'``
 
 The name of the cookie to use for sessions. This can be whatever you want.
 
+SESSION_EXPIRE_AT_BROWSER_CLOSE
+-------------------------------
+
+Default: ``False``
+
+Whether to expire the session when the user closes his or her browser. See
+"Browser-length sessions vs. persistent sessions" above.
+
 SESSION_SAVE_EVERY_REQUEST
 --------------------------
 
diff --git a/docs/settings.txt b/docs/settings.txt
index 80000fad5b..26d5930f21 100644
--- a/docs/settings.txt
+++ b/docs/settings.txt
@@ -603,6 +603,14 @@ Default: ``'sessionid'``
 The name of the cookie to use for sessions. This can be whatever you want.
 See the `session docs`_.
 
+SESSION_EXPIRE_AT_BROWSER_CLOSE
+-------------------------------
+
+Default: ``False``
+
+Whether to expire the session when the user closes his or her browser.
+See the `session docs`_.
+
 SESSION_SAVE_EVERY_REQUEST
 --------------------------