Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

Is SECURITY_TOKEN_MAX_AGE working ? #879

Open
vpl-profess opened this issue May 17, 2023 · 0 comments
Open

Is SECURITY_TOKEN_MAX_AGE working ? #879

vpl-profess opened this issue May 17, 2023 · 0 comments

Comments

@vpl-profess
Copy link

Struggling to have a Session timeout running with flask-security-too
In the code below I set the SECURITY_TOKEN_MAX_AGE to 60 secondes.

  • A first login to my resource, from an incognito browser redirects me to the login page. Perfect
  • Into the same browser, 2 mn later, I don't have any token expiration and can access my resource without requesting a login
  • Same behavior after clearing all the cookies (or testing with a fresh incognito session)

Am I missing something in the app configuration ?
Sorry if this question address the usability of flask-security-too but cannot find (yet ..) any discussion forum or example showing this type of configuration

Should I use SECURITY_LOGIN_WITHIN which is set to 1 days by default. I've tried also to set it to 2 minutes. Without success ..

Thanks very much for your support

Regards

import os
from flask import Flask
from flask_security import SQLAlchemySessionUserDatastore, Security
from flask_security import auth_required

from dotenv import load_dotenv
from database import db
from models.auth import User, Role
from flask_mailman import Mail
import commands

from datetime import timedelta

load_dotenv()

app = Flask(__name__)

app.config["SECRET_KEY"] = os.environ.get(
    "SECRET_KEY", "0aedgaii451cef0af8bd6432ec4b317c8999a9f8g77f5f3cb49fb9a8acds51d")
app.config["SECURITY_PASSWORD_SALT"] = os.environ.get(
    "SECURITY_PASSWORD_SALT",
    "ab3d3a0f6984c4f5hkao41509b097a7bd498e903f3c9b2eea667h16")
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
app.config["SECURITY_REGISTERABLE"] = True
app.config["SECURITY_CONFIRMABLE"] = True   # Confirmation via email

app.config["MAIL_SERVER"] = os.getenv("MAIL_SERVER")
app.config["MAIL_PORT"] = os.getenv("MAIL_PORT")
app.config["MAIL_USE_SSL"] = False
app.config["MAIL_USE_TLS"] = True
app.config["MAIL_USERNAME"] = os.getenv("MAIL_USERNAME")
app.config["MAIL_PASSWORD"] = os.getenv("MAIL_PASSWORD")
mail = Mail(app)

# Timeout session
#app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=2)
#app.config['SECURITY_LOGIN_WITHIN'] = "2 minutes"
app.config['SECURITY_TOKEN_MAX_AGE'] = 60 # Specifies the number of seconds before an authentication token expires.

uri = os.getenv("DATABASE_URL")
app.config["SQLALCHEMY_DATABASE_URI"] = uri

db.init_app(app)
commands.init_app(app)
user_datastore = SQLAlchemySessionUserDatastore(db.session, User, Role)
security = Security(app, user_datastore)

@app.route("/")
@auth_required()
def home():
	return "Hello, world!"

@app.route("/protected")
@auth_required()
def protected():
    return "You're logged in!"

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests

1 participant