Add a system check against SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE both being set

[Adam Johnson]

The two settings SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_COOKIE_AGE are mutually exclusive. If a user has set both of them, they should be warned with a system check.

[Carlton Gibson]

I'm not sure about this.

SESSION_COOKIE_AGE defaults to two weeks. (OK, one thinks). I don't touch that. I simply enable SESSION_EXPIRE_AT_BROWSER_CLOSE and all of a sudden I get a warning?

That seems less than ideal.

Either we need to rationalize these settings somehow. (Maybe SESSION_COOKIE_AGE == 0 entailing SESSION_EXPIRE_AT_BROWSER_CLOSE?) Or accept that whilst related they're not strictly interdependent.

Happy to think about it, but a decision is needed first no? Going to say wontfix plus possible discussion on DevelopersMailingList for that reason. Happy to reopen later if we can come up with something.

[Adam Johnson]

The check can use settings.is_overridden to check that the user has set it, rather than it being the default coming from the global settings file :)

I posted this ticket because it happened to me, found a project that had both configured and it wasn't clear which was intended by the original developer.

[Carlton Gibson]

Yeah... still not convinced they're contraries. SESSION_EXPIRE_AT_BROWSER_CLOSE tumps whatever value you have for SESSION_COOKIE_AGE, so if you set, you meant that. I'm not at all convinced we need a system check here.

[Adam Johnson]

I think the confusion was that the behaviours don't combine. You can't have a session that is maximum 30 minutes but also disappears if the browser is closed. The docs could be clearer but I think a check is the easiest way to prevent such misconfiguration,