Struggling to have a Session timeout running with flask-security-too
In the code below I set the SECURITY_TOKEN_MAX_AGE to 60 secondes.
A first login to my resource, from an incognito browser redirects me to the login page. Perfect
Into the same browser, 2 mn later, I don't have any token expiration and can access my resource without requesting a login
Same behavior after clearing all the cookies (or testing with a fresh incognito session)
Am I missing something in the app configuration ?
Sorry if this question address the usability of flask-security-too but cannot find (yet ..) any discussion forum or example showing this type of configuration
Should I use SECURITY_LOGIN_WITHIN which is set to 1 days by default. I've tried also to set it to 2 minutes. Without success ..
Thanks very much for your support
Regards
import os
from flask import Flask
from flask_security import SQLAlchemySessionUserDatastore, Security
from flask_security import auth_required
from dotenv import load_dotenv
from database import db
from models.auth import User, Role
from flask_mailman import Mail
import commands
from datetime import timedelta
load_dotenv()
app = Flask(__name__)
app.config["SECRET_KEY"] = os.environ.get(
"SECRET_KEY", "0aedgaii451cef0af8bd6432ec4b317c8999a9f8g77f5f3cb49fb9a8acds51d")
app.config["SECURITY_PASSWORD_SALT"] = os.environ.get(
"SECURITY_PASSWORD_SALT",
"ab3d3a0f6984c4f5hkao41509b097a7bd498e903f3c9b2eea667h16")
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
app.config["SECURITY_REGISTERABLE"] = True
app.config["SECURITY_CONFIRMABLE"] = True # Confirmation via email
app.config["MAIL_SERVER"] = os.getenv("MAIL_SERVER")
app.config["MAIL_PORT"] = os.getenv("MAIL_PORT")
app.config["MAIL_USE_SSL"] = False
app.config["MAIL_USE_TLS"] = True
app.config["MAIL_USERNAME"] = os.getenv("MAIL_USERNAME")
app.config["MAIL_PASSWORD"] = os.getenv("MAIL_PASSWORD")
mail = Mail(app)
# Timeout session
#app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=2)
#app.config['SECURITY_LOGIN_WITHIN'] = "2 minutes"
app.config['SECURITY_TOKEN_MAX_AGE'] = 60 # Specifies the number of seconds before an authentication token expires.
uri = os.getenv("DATABASE_URL")
app.config["SQLALCHEMY_DATABASE_URI"] = uri
db.init_app(app)
commands.init_app(app)
user_datastore = SQLAlchemySessionUserDatastore(db.session, User, Role)
security = Security(app, user_datastore)
@app.route("/")
@auth_required()
def home():
return "Hello, world!"
@app.route("/protected")
@auth_required()
def protected():
return "You're logged in!"
Struggling to have a Session timeout running with flask-security-too In the code below I set the SECURITY_TOKEN_MAX_AGE to 60 secondes.
Am I missing something in the app configuration ? Sorry if this question address the usability of flask-security-too but cannot find (yet ..) any discussion forum or example showing this type of configuration
Should I use SECURITY_LOGIN_WITHIN which is set to 1 days by default. I've tried also to set it to 2 minutes. Without success ..
Thanks very much for your support
Regards