I've got the authentication working with flask-login, but it seems like no matter what I use for the cookie duration in flask, the session is still authenticated. Am I setting the config variables properly for flask-login? I've tried
app.REMEMBER_COOKIE_DURATION = datetime.timedelta(seconds=30)
app.config["REMEMBER_COOKIE_DURATION"] = datetime.timedelta(seconds=30)
Even if I close the browser, wait a while, and hit a url that should be protected, I can still access it. Is this related to this issue with chrome?. If I clear my cookies, I get the expected login page. All this makes me think that the cookie timeout is not being respected.
Also, what does PERMANENT_SESSION_LIFETIME
do in flask?
REMEMBER_COOKIE_DURATION
is used for "Remember me" functionality, that is, how long to remember logged in user even if he closed the browser. The separate cookie is used for that, the name of which can be set by REMEMBER_COOKIE_NAME
(remember_token
by default). To force login session to expire after some time (even if the browser is still kept running), set PERMANENT_SESSION_LIFETIME
somewhere where you keep your app settings:
PERMANENT_SESSION_LIFETIME = datetime.timedelta(minutes=30)
And in your login view set session.permanent = True
:
from flask import session
@app.route('/login')
def login():
# ...
if login_user(user):
session.permanent = True
return redirect(request.args.get('next') or url_for('index'))
# ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With