Django: Separate session expiry times for "normal" website and admin area
It would be nice if there were an easy way to define separate session expiry time for the admin area of a django website. So, admin users could log themselves into the "normal" website (seen by all users) but when they try to access the admin area for the first time, they get prompted again to enter their password. They could then do their work in the admin area and continue browsing the website for a few hours, all without entering their password again. The next day, they continue browsing the website, but upon returning to the admin area, need to input their password again.
Is there a well-established pattern for this? Or a plugin that implements it?
A common pattern in Django is to keep your normal site session separate from admin authentication by requiring a re-authentication step for admin access. Django doesn’t provide different session-expiry settings per path by default, but you can achieve this by enabling SESSION_EXPIRE_AT_BROWSER_CLOSE or short timeouts globally and then using a custom admin login view or middleware that forces users to re-enter their password when accessing /admin/, similar to Django’s revalidation pattern used for sensitive operations. Some projects use packages like django-axes or custom middleware, but most solutions involve overriding the admin login logic to enforce a shorter expiry or fresh login for the admin area while keeping the normal session intact.
If you want separate sessions, I'd suggest to go all the way and have complete separation. Make admins have two sets of credentials: one which they'd use when browsing the site normally and the other for the admin site.