flask-security
flask-security copied to clipboard
mattupstate
Server Side session expiration
We are looking to implement a feature much like Facebook and Google's logout all other sessions. To do this the server needs to be able to invalidate a token. Is there any way for flask security to do this?
We have done something which you might find useful. You can create a model [1] that stores relation between users and sessions. Then you need set of functions [2] for populating/cleanning these relations which you can connect to specific signals or views.
-- [1] https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/models.py#L109-L126 [2] https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/sessions.py
@jirikuncar That is what we were thinking of doing. Didn't you have to update the functions that require authorization to check the state of the tokens in the database?
@RoosterKelly the sessions get deleted on logout and expired by Redis automatically. There is however one more thing you want to do when deactivating user - removing all active sessions (see https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/datastore.py).
Seems like a huge oversight that there's no way to invalidate sessions. If a user logs onto a public computer and forgets to log out, there's literally no way to kill the session. Resetting the password at the very least should kill it, and there should be a function that lets us kill the sessions.
@patrickyan you would need server side sessions to invalidate sessions remotely (please see Flask-KVSession extension).
Hey, I'm keen to have session expiry happen when a user changes their password.
This library could take a leaf out of Django's book which stores a hmac of the password in the session during login. Then checks it during each request; as part of loading the user.
If this sounds like a valid approach I'm happy to spend some time and put a PR up for it.
