How can I logout a user in Django?
Solution 1
You can log them out using
from django.contrib.auth import logout
if <your authentication validation logic>:
logout(request)
... from within any view.
logout()
Django docs here.
Solution 2
You can use a session backend that lets you query and get the sessions of a specific user. In these session backends, Session has a foreign key to User, so you can query sessions easily:
-
django-qsessions (based on django's
db
,cached_db
session backends) -
django-user-sessions (based on django's
db
session backend)
Using these backends, deleting all sessions of a user can be done in a single line of code:
# log-out a user
user.session_set.all().delete()
Disclaimer: I am the author of django-qsessions
.
Solution 3
In addition to the login_required decorator, you could use the user_passes_test decorator to test if the user is still active.
from django.contrib.auth import user_passes_test
def is_user_active(user):
return user.is_active
@user_passes_test(is_user_active, login_url='/your_login')
def your_function(request):
....
Related videos on Youtube
Torsten Bronger
Updated on June 28, 2020Comments
-
Torsten Bronger almost 4 years
Our Django deployment checks every night which active users can still be found in out LDAP directory. If they cannot be found anymore, we set them to inactive. If they try to login next time, this will fail. Here is our code that does this:
def synchronize_users_with_ad(sender, **kwargs): """Signal listener which synchronises all active users without a usable password against the LDAP directory. If a user cannot be found anymore, he or she is set to “inactive”. """ ldap_connection = LDAPConnection() for user in User.objects.filter(is_active=True): if not user.has_usable_password() and not existing_in_ldap(user): user.is_active = user.is_staff = user.is_superuser = False user.save() user.groups.clear() user.user_permissions.clear() maintain.connect(synchronize_users_with_ad)
But if they are still logged in, this session(s) is/are still working. How can we make them invalid immediately? All settings of the session middleware are default values.
-
Torsten Bronger almost 10 yearsThis should be marked a duplicate of stackoverflow.com/questions/953879/… In particular, I found an answer for me there.
-
-
C.B. almost 10 years
from django.contrib.auth import logout
as well -
Daniel Roseman almost 10 yearsThis doesn't seem to answer the question. OP appears to want a way to manually log users out immediately (which would probably involve some kind of session manipulation, if it's possible at all).
-
Admin almost 10 yearsEven if you don't log the users off immediately, they get logged off as soon as they try to access any view or the views in which the check is performed and invalid users are
logout()
. -
Torsten Bronger almost 10 yearsI added a code snippet to explain more exactly what we are doing. As you can see, we have no
request
object. -
Torsten Bronger almost 10 yearsAt least setting a user to inactive does not prevent him or her from still using the site. I could still walk around while being inactive. The Revoked permissions may impose a certain limitation but that's all.
-
Torsten Bronger almost 10 yearsThank you, I didn't know this decorator and it may be useful to me someday. However, cluttering 60.000 LOC with this decorator exactly fails to fill me with enthusiasm. ;-) What would help, for example, is a
logout(user)
function.