David Lord
David Lord
I'll add types to the code, don't add them to typeshed.
As stated above, we consider the CVE invalid. You'll want to figure out how to mark those as invalid in whatever scanning tool is reporting them to you. Use of...
@sobolevn that would be great. I was trying to, but I'm not very familiar with i18n. :confounded: If you come across any other strings that need to be translatable, go...
I don't think we have the resources for transifex/crowdin/etc. Or does support not involve buying a plan? That would be a separate issue though.
I don't understand why this is necessary. If a user clicks "log out", the logout route should clear the session, at which point a new token would be generated next...
I'm also not clear how you'd expect this to fix session fixation, as it doesn't prevent an attacker reusing a previous session cookie as long as it's not expired. The...
Could you provide an example of how this change would be used to prevent that? Scenario one is more comprehensively addressed by just clearing the session on login and logout....
That is addressed by calling `session.clear()` on logging in or out, this change doesn't add anything to that.
It sounds like a `clear_csrf()` function that only removes the CSRF key and nothing else would be more clear. Then the logout view becomes: ```python @app.route("/logout") def logout(): clear_csrf() logout_user()...
That link is unclear about how to use a nonce. If you know what needs to happen, please open a PR.