A common pattern in Django is to keep your normal site session separate from admin authentication by requiring a re-authentication step for admin access. Django doesn’t provide different session-expiry settings per path by default, but you can achieve this by enabling SESSION_EXPIRE_AT_BROWSER_CLOSE or short timeouts globally and then using a custom admin login view or middleware that forces users to re-enter their password when accessing /admin/, similar to Django’s revalidation pattern used for sensitive operations. Some projects use packages like django-axes or custom middleware, but most solutions involve overriding the admin login logic to enforce a shorter expiry or fresh login for the admin area while keeping the normal session intact.