Logged In User not being saved to session.

[astarrh]

This issue has been minimally reproduced here:
https://github.com/astarrh/django_channels_login/tree/ff3df1dc790d855aad7bd3bb087f06b4619c3893

My understanding from the docs is that when a user is logged in through the following method:

from asgiref.sync import async_to_sync
from channels.auth import login

class SyncChatConsumer(WebsocketConsumer):

    ...

    def receive(self, text_data):
        ...
        async_to_sync(login)(self.scope, user)
        self.scope["session"].save()

The user should be logged into the session and should remain logged in if they refresh the page or navigate to other pages. However, this is not the case when I implement it. The user is successfully logged in and the user object can be used as long as the page is open, but on refresh or navigation the user is once again anonymous.

I have observed that Django's sessionid does change upon refreshing the page after login, which seems to be a behavior consistent with a successful login. However, the login status itself isn't preserved.

This has been tested on multiple systems & browsers.

https://github.com/astarrh/django_channels_login/tree/ff3df1dc790d855aad7bd3bb087f06b4619c3893

[JD99]

I join. exactly the same problem

[carltongibson]

I think this is a misunderstanding.

...should remain logged in if they refresh the page or navigate to other pages.

This would be regular HTTP requests, so you'd need to login with django.contrib.auth as normal. That will persist as expected.

Then channels.auth.login is about verifying the user session for the WebSocket connection, which seems to be what you're seeing:

The user is successfully logged in and the user object can be used as long as the page is open...

The underlying issue here would be that you can't Set-Cookie from the connected WebSocket I think.

[astarrh]

That's what we were thinking as well, because the session cookie is http only. However the fact that the session ID was changing (which is consistent with a login event), and that the docs seem to indicate that this should work, I felt that there might be something we were missing.

For example, this portion:

from channels.auth import login

class ChatConsumer(AsyncWebsocketConsumer):

    ...

    async def receive(self, text_data):
        ...
        # login the user to this session.
        await login(self.scope, user)
        # save the session (if the session backend does not access the db you can use `sync_to_async`)
        await database_sync_to_async(self.scope["session"].save)()

seems to indicate that it is possible to update the session as a separate step after the user is logged into the session. If the user is logged in from the first step, what effect is the second step ("save the session") supposed to have?

[carltongibson]

The "save to session" will persist to the session store (so I'd need to sit down and have a think about the effect on the user's authenticated state back in the regular HTTP session) ...

But the main use here is to put the user key into the scope so that follow-up (same connection Websocket) requests can re-use it. (So you'd call it on connect, after a get_user()... 🤔)

[astarrh]

Ok, I think I understand, thank you. I am reading that this is a way to support multiple connections to the same socket. I guess I did not realize that the socket's scope had a version of 'session' that was distinct from the HTTP session.

However, it does seem to be doing something to the HTTP session, since that session's ID is getting changed (which only seems to happen when a user logs in or out).