How does get_user make sure that the session is still valid (not expired)?

[imran-iq]

In the docs it is mentioned that we should periodically check with get_user(scope) in long lived sessions to make sure that the session is still valid.

From: https://asgi.readthedocs.io/en/latest/specs/main.html
A connection scope, which represents a protocol connection to a user and survives until the connection closes.

So my (naive) understanding is that a connection is started, and the session is put into self.scope of the consumer.
Inside the consumer we call get_user(self.scope):

channels/channels/auth.py

Lines 20 to 55 in b6dc8c1

	@database_sync_to_async
	def get_user(scope):
	"""
	Return the user model instance associated with the given scope.
	If no user is retrieved, return an instance of `AnonymousUser`.
	"""
	# postpone model import to avoid ImproperlyConfigured error before Django
	# setup is complete.
	from django.contrib.auth.models import AnonymousUser
	if "session" not in scope:
	raise ValueError(
	"Cannot find session in scope. You should wrap your consumer in "
	"SessionMiddleware."
	)
	session = scope["session"]
	user = None
	try:
	user_id = _get_user_session_key(session)
	backend_path = session[BACKEND_SESSION_KEY]
	except KeyError:
	pass
	else:
	if backend_path in settings.AUTHENTICATION_BACKENDS:
	backend = load_backend(backend_path)
	user = backend.get_user(user_id)
	# Verify the session
	if hasattr(user, "get_session_auth_hash"):
	session_hash = session.get(HASH_SESSION_KEY)
	session_hash_verified = session_hash and constant_time_compare(
	session_hash, user.get_session_auth_hash()
	)
	if not session_hash_verified:
	session.flush()
	user = None
	return user or AnonymousUser()

which does the following:

1. check there is a session object in the scope
2. check that the users password has not changed with the auth hash key

but it does not check that the session has expired, i.e. in the following case:

1. a session is created that expires in lets say 1 hour
2. a user uses the session cookie to connect to the websocket and the session is set in the scope
3. 2 hours pass
4. calling get_user(scope) will still return the authenticated user even though the session has expired since the expiration time is not checked
5. The user remains authenticated in the long lived connection despite having an expired session

So until the user closes their websocket connection, get_user will continue to think the user is authenticated

Or is there some other mechanism that ensures the auth hash changes once a session is expired?

[carltongibson]

If you're dealing with short-lived sessions you can check the session's expire_date, or you can refresh the session in the scope (similarly to refetching the user).

(I suspect periodically calling session.save() is going to be the simplest way forward, but it depends on your exact use-case 🤔)

[imran-iq]

Yeah I have ended up checking expire_date along with refetching the user just in case 👍