Flask-Login login_manager.session_protection=strong doesn't redirect to login page

Question

We're using flask-login to handle logins to our webpage. We expect it to be very strict with sessions so when a browser is closed, the user is prompted to log back in again.

We expect user would be sent to the login page for every url, and the session won't persist.

We require strict protection

login_manager.session_protection = "strong"
login_manager.refresh_view = "users.login"

Refresh view is used as the docs state:

refresh_view

The name of the view to redirect to when the user needs to reauthenticate

When the user closes their browser and begins a new session, they are not prompted to login, instead they're given a page where href's redirect to the login page, and other links give permission errors. This isn't optimal.

Internally, the way redirects are accomplished is with flask_login is by using the unauthorized() function in the login_manager.py file, which uses the request library to grab the request url of the page the user is trying to access. When an user is logged out trying to access the page it will properly grab the correct url and redirect the user to the variable assigned to the login_view setting. However, when session protection is set to strong and the user quits the application and redirects to the page, the unauthorized() function is not being executed.

So why aren't they sent to the login page every new browser instance?

Answer 1

In our case, the user still had a remember me cookie that persisted the session. After adding this line

REMEMBER_COOKIE_DURATION = timedelta(minutes=0)

The user is correctly sent to the login page.