Flask-Login needs to use an "alternative token" to load users to allow for invalidating sessions

scidsg / frontpage

A self-hosted, privacy-focused publishing platform for autonomous and independent newsrooms.

https://ddosecrets.news

GNU Affero General Public License v3.0

14 stars 2 forks source link

Flask-Login needs to use an "alternative token" to load users to allow for invalidating sessions #11

Open brassy-endomorph opened 10 months ago

brassy-endomorph commented 10 months ago

As per the docs: https://flask-login.readthedocs.io/en/latest/#alternative-tokens

Using the user ID as the value of the remember token means you must change the user’s ID to invalidate their login sessions. One way to improve this is to use an alternative user id instead of the user’s ID.