How to Implement Remember Me in Django: Simple Guide
To implement
remember me in Django, customize the session expiration time based on user choice. If the user selects remember me, set request.session.set_expiry() to a longer duration; otherwise, use the default session expiry.Syntax
The key method to control session duration in Django is request.session.set_expiry(value). The value can be:
None: Use global session expiry settings.0: Session expires when the browser closes.seconds(integer): Session expires after this many seconds.
Use this method after user login to set how long the session should last.
python
def login_view(request): if request.method == 'POST': # authenticate user user = authenticate(request, username=request.POST['username'], password=request.POST['password']) if user is not None: login(request, user) if 'remember_me' in request.POST: request.session.set_expiry(1209600) # 2 weeks else: request.session.set_expiry(0) # expires on browser close return redirect('home')
Example
This example shows a Django login view that sets session expiry based on a 'remember me' checkbox in the login form.
python
from django.contrib.auth import authenticate, login from django.shortcuts import render, redirect def login_view(request): if request.method == 'POST': username = request.POST.get('username') password = request.POST.get('password') remember_me = request.POST.get('remember_me') user = authenticate(request, username=username, password=password) if user is not None: login(request, user) if remember_me: request.session.set_expiry(1209600) # 2 weeks else: request.session.set_expiry(0) # expires on browser close return redirect('home') else: error = 'Invalid credentials' return render(request, 'login.html', {'error': error}) return render(request, 'login.html')
Output
User is logged in with session lasting 2 weeks if 'remember me' checked, else session expires on browser close.
Common Pitfalls
- Forgetting to call
request.session.set_expiry()after login means the session uses default expiry. - Setting expiry to
Noneuses global settings, which may not match user choice. - Not handling the 'remember me' checkbox properly in the form can cause unexpected session behavior.
- Relying on cookies alone without session expiry can cause security issues.
python
def login_view(request): if request.method == 'POST': # Incorrect: Not setting expiry at all user = authenticate(request, username=request.POST['username'], password=request.POST['password']) if user is not None: login(request, user) # Missing set_expiry call return redirect('home') # Correct way: if request.method == 'POST': user = authenticate(request, username=request.POST['username'], password=request.POST['password']) if user is not None: login(request, user) if 'remember_me' in request.POST: request.session.set_expiry(1209600) # 2 weeks else: request.session.set_expiry(0) # expires on browser close return redirect('home')
Quick Reference
- request.session.set_expiry(0): Session expires on browser close.
- request.session.set_expiry(seconds): Session expires after given seconds.
- request.session.set_expiry(None): Use default session expiry from settings.
- Call
set_expiryright afterlogin()to apply.
Key Takeaways
Use request.session.set_expiry() to control session duration for remember me functionality.
Set a long expiry time (e.g., 2 weeks) if the user selects remember me, else expire on browser close.
Always call set_expiry immediately after login to apply the session duration.
Handle the remember me checkbox properly in your login form and view.
Avoid relying solely on cookies without session expiry for security.