Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

Is SECURITY_TOKEN_MAX_AGE working ? #879

Open
vpl-profess opened this issue May 17, 2023 · 0 comments
Open

Is SECURITY_TOKEN_MAX_AGE working ? #879

vpl-profess opened this issue May 17, 2023 · 0 comments

Comments

@vpl-profess
Copy link

Struggling to have a Session timeout running with flask-security-too
In the code below I set the SECURITY_TOKEN_MAX_AGE to 60 secondes.

  • A first login to my resource, from an incognito browser redirects me to the login page. Perfect
  • Into the same browser, 2 mn later, I don't have any token expiration and can access my resource without requesting a login
  • Same behavior after clearing all the cookies (or testing with a fresh incognito session)

Am I missing something in the app configuration ?
Sorry if this question address the usability of flask-security-too but cannot find (yet ..) any discussion forum or example showing this type of configuration

Should I use SECURITY_LOGIN_WITHIN which is set to 1 days by default. I've tried also to set it to 2 minutes. Without success ..

Thanks very much for your support

Regards

import os
from flask import Flask
from flask_security import SQLAlchemySessionUserDatastore, Security
from flask_security import auth_required

from dotenv import load_dotenv
from database import db
from models.auth import User, Role
from flask_mailman import Mail
import commands

from datetime import timedelta

load_dotenv()

app = Flask(__name__)

app.config["SECRET_KEY"] = os.environ.get(
    "SECRET_KEY", "0aedgaii451cef0af8bd6432ec4b317c8999a9f8g77f5f3cb49fb9a8acds51d")
app.config["SECURITY_PASSWORD_SALT"] = os.environ.get(
    "SECURITY_PASSWORD_SALT",
    "ab3d3a0f6984c4f5hkao41509b097a7bd498e903f3c9b2eea667h16")
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
app.config["SECURITY_REGISTERABLE"] = True
app.config["SECURITY_CONFIRMABLE"] = True   # Confirmation via email

app.config["MAIL_SERVER"] = os.getenv("MAIL_SERVER")
app.config["MAIL_PORT"] = os.getenv("MAIL_PORT")
app.config["MAIL_USE_SSL"] = False
app.config["MAIL_USE_TLS"] = True
app.config["MAIL_USERNAME"] = os.getenv("MAIL_USERNAME")
app.config["MAIL_PASSWORD"] = os.getenv("MAIL_PASSWORD")
mail = Mail(app)

# Timeout session
#app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=2)
#app.config['SECURITY_LOGIN_WITHIN'] = "2 minutes"
app.config['SECURITY_TOKEN_MAX_AGE'] = 60 # Specifies the number of seconds before an authentication token expires.

uri = os.getenv("DATABASE_URL")
app.config["SQLALCHEMY_DATABASE_URI"] = uri

db.init_app(app)
commands.init_app(app)
user_datastore = SQLAlchemySessionUserDatastore(db.session, User, Role)
security = Security(app, user_datastore)

@app.route("/")
@auth_required()
def home():
	return "Hello, world!"

@app.route("/protected")
@auth_required()
def protected():
    return "You're logged in!"
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vpl-profess