Separate expiration interval for admin users #49
Description
For security reasons, we'd like admin users (anyone on one of the admin site pages or anyone with is_staff set) to be logged out after 15 minutes of inactivity. Regular, unprivileged users aren't security-sensitive, so they could stay logged in for the default SESSION_COOKIE_AGE.
Could this feature be added to django-session-security? What's the best approach for doing so?
One possible idea would be to move the expiration-checking logic from process_request to process_view, so that the middleware can check the request's namespaces against some sort of SESSION_SECURITY_SENSITIVE_NAMESPACES list. If the sensitive namespaces list is non-empty, and request.resolver_match.app_name and/or request.resolver_match.namespace is NOT in the list, then the middleware would never logout.
PR #20 would also have addressed this, I think, but I see that it was reverted.
Or maybe there's another, better design. I'm pretty new to Django. I'm happy to help with implementation, if you're open to the idea and can give some guidance on a good design.