BUG: Concurrent session logout are miss-tracked

[sevdog]

Describe the bug When there are concurrent sessions held by the same user on differente devices the first which logs-out also marks the time on the latter.

To Reproduce Steps to reproduce the behavior:

1. Configure AXES using AxesDatabaseHandler (the default one)
2. Create a user
3. Log in with that user using a browser
4. Log in with that user using a different browser (or incognito mode)
5. <repeat step 3 with other browser/client if needed>
6. Log out from one of the active browsers

Now every AccessLog for that user has the same logout_time, even those for which there is still an active session. It is not possible to update access-logs for those records. https://github.com/jazzband/django-axes/blob/fd9d185ad32570434d14de79e45976c6e18fcc54/axes/handlers/database.py#L319-L321

Expected behavior Every session for a single user should be related to a single AccessLog, to enable a correct tracking of the user.

Your environment python version: 3.10 django version: 4.2 django-axes version: Operating system: Linux

Possible implementation It would be advisable to have an other optional field on AccessLog which can be a digest of the current session-id. This could also be used as a method do detect whenever an access "expires" without log-off. The reason for not using a FK to session is:

• it is not secure since the PK of session usually is the session-id which must be kept secret and hard to find (if possible)
• already username is not a real FK to user but just simple column

[aleksihakli]

Thanks for reporting 👍

One option would be to make a mapping from access log objects to sessions so that the correct sessions can be revoked, as you said.

Sessions can also be stored in other session backends so the implementation should be compatible with those.

Would you have the opportunity for making a PR for fixing this bug @sevdog?

[sevdog]

Sure, as soon as I can find enough time to work on it.