How can I logout a user in Django?

python django django-authentication django-sessions

24,144

Solution 1

You can log them out using

from django.contrib.auth import logout

if <your authentication validation logic>:
    logout(request)

... from within any view.

logout() Django docs here.

Solution 2

You can use a session backend that lets you query and get the sessions of a specific user. In these session backends, Session has a foreign key to User, so you can query sessions easily:

django-qsessions (based on django's db, cached_db session backends)
django-user-sessions (based on django's db session backend)

Using these backends, deleting all sessions of a user can be done in a single line of code:

# log-out a user
user.session_set.all().delete()

Disclaimer: I am the author of django-qsessions.

Solution 3

In addition to the login_required decorator, you could use the user_passes_test decorator to test if the user is still active.

from django.contrib.auth import user_passes_test

def is_user_active(user):
    return user.is_active

@user_passes_test(is_user_active, login_url='/your_login')
def your_function(request):
    ....

24,144

Torsten Bronger

Updated on June 28, 2020

Comments

Torsten Bronger almost 4 years

Our Django deployment checks every night which active users can still be found in out LDAP directory. If they cannot be found anymore, we set them to inactive. If they try to login next time, this will fail. Here is our code that does this:

def synchronize_users_with_ad(sender, **kwargs):
    """Signal listener which synchronises all active users without a usable
    password against the LDAP directory.  If a user cannot be
    found anymore, he or she is set to “inactive”.
    """
    ldap_connection = LDAPConnection()
    for user in User.objects.filter(is_active=True):
        if not user.has_usable_password() and not existing_in_ldap(user):
            user.is_active = user.is_staff = user.is_superuser = False
            user.save()
            user.groups.clear()
            user.user_permissions.clear()

maintain.connect(synchronize_users_with_ad)

But if they are still logged in, this session(s) is/are still working. How can we make them invalid immediately? All settings of the session middleware are default values.

Torsten Bronger almost 10 years

This should be marked a duplicate of stackoverflow.com/questions/953879/… In particular, I found an answer for me there.

C.B. almost 10 years

from django.contrib.auth import logout as well
Daniel Roseman almost 10 years

This doesn't seem to answer the question. OP appears to want a way to manually log users out immediately (which would probably involve some kind of session manipulation, if it's possible at all).
Admin almost 10 years

Even if you don't log the users off immediately, they get logged off as soon as they try to access any view or the views in which the check is performed and invalid users are logout().
Torsten Bronger almost 10 years

I added a code snippet to explain more exactly what we are doing. As you can see, we have no request object.
Torsten Bronger almost 10 years

At least setting a user to inactive does not prevent him or her from still using the site. I could still walk around while being inactive. The Revoked permissions may impose a certain limitation but that's all.
Torsten Bronger almost 10 years

Thank you, I didn't know this decorator and it may be useful to me someday. However, cluttering 60.000 LOC with this decorator exactly fails to fill me with enthusiasm. ;-) What would help, for example, is a logout(user) function.