flask-login: Chrome ignoring cookie expiration?

Question

I've got the authentication working with flask-login, but it seems like no matter what I use for the cookie duration in flask, the session is still authenticated. Am I setting the config variables properly for flask-login? I've tried

app.REMEMBER_COOKIE_DURATION = datetime.timedelta(seconds=30)
app.config["REMEMBER_COOKIE_DURATION"] = datetime.timedelta(seconds=30)

Even if I close the browser, wait a while, and hit a url that should be protected, I can still access it. Is this related to this issue with chrome?. If I clear my cookies, I get the expected login page. All this makes me think that the cookie timeout is not being respected.

Also, what does PERMANENT_SESSION_LIFETIME do in flask?

Answer 1

REMEMBER_COOKIE_DURATION is used for "Remember me" functionality, that is, how long to remember logged in user even if he closed the browser. The separate cookie is used for that, the name of which can be set by REMEMBER_COOKIE_NAME (remember_token by default). To force login session to expire after some time (even if the browser is still kept running), set PERMANENT_SESSION_LIFETIME somewhere where you keep your app settings:

PERMANENT_SESSION_LIFETIME = datetime.timedelta(minutes=30)

And in your login view set session.permanent = True:

from flask import session

@app.route('/login')
def login():
    # ...
    if login_user(user):
        session.permanent = True
        return redirect(request.args.get('next') or url_for('index'))
    # ...