As discussed, adjust checks for SESSION_COOKIE_AGE and SESSION_EXPIRE_AT_BROWSER_CLOSE

e657c538 · Art · 1aa3c95c · e657c538
Commit e657c538 authored 7 years ago by Art
--- a/ssoauth/checks.py
+++ b/ssoauth/checks.py
@@ -134,15 +134,15 @@ def auth_urls_configured(app_configs, **kwargs):
 @register(Tags.security)
 def session_lifetime(app_configs, **kwargs):
    errors = list()
-    max_wanted = 60 * 60  # seconds
-    if conf.settings.SESSION_COOKIE_AGE > max_wanted and not conf.settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
+    max_wanted = 10 * 60 * 60  # in seconds
+    if conf.settings.SESSION_COOKIE_AGE > max_wanted or conf.settings.SESSION_COOKIE_AGE is 0:
        errors.append(Error(
-            "Please reduce SESSION_COOKIE_AGE to at most {max_wanted} or set SESSION_EXPIRE_AT_BROWSER_CLOSE = True".format(**locals()),
+            "Please reduce SESSION_COOKIE_AGE to at most {max_wanted}".format(**locals()),
            obj=conf.settings,
        ))
-    if conf.settings.SESSION_COOKIE_AGE > 60 * 60 * 24:  # >24h is too much even with SESSION_EXPIRE_AT_BROWSER_CLOSE
-        errors.append(Error(
-            "SESSION_COOKIE_AGE is too high. This means users can stay logged in longer than their accounts are active.",
+    if not conf.settings.SESSION_EXPIRE_AT_BROWSER_CLOSE:
+        errors.append(Warning(
+            "Recommended value for SESSION_EXPIRE_AT_BROWSER_CLOSE = True",
            obj=conf.settings,
        ))
    return errors