Logging out a specific user with Flask-Login
Question
I am in the process of adding password reset functionality to a Flask web app.
When a password is reset I'd like to log out anyone who was logged in with that username. I am aware of the logout_user() method supplied by Flask-Login. In my application the password reset is done while the user is not logged in - using email confirmation. It is basically "Forgot my password" functionality. I'm looking for something like logout_user(specific_user) . Or a way of invalidating a specific users cookies? Something along these lines.
I'd like to do this because currently if a users credentials get stolen and they reset their password, the person with the stolen credentials is still logged in and has access to the web app.
1 answers
solution1
1 ACCPTED 2014-07-08 10:01:02
You should probably store the timestamp of the password reset and compare it to the user cookie. If the password has been reset after the cookie has been generated, you ask the user to provide login/password again.
Flask-Login cookie does not contain a timestamp by default, hence you will have to tweak that a little bit.
It would probably be worth posting an issue on Flask-Login's GitHub because it seems to be a standard use case.
EDIT: There's actually a better way to do that, see https://flask-login.readthedocs.org/en/latest/#alternative-tokens . It's about using the user password hash (among other things) to sign the "Remember Me" cookie. This way if the password changes the cookie is de facto unvalidated.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.