6

Remember-me is a parameter

flask_login.login_user(user, remember=False, duration=None, force=False, fresh=True)

to login_user in Flask-Login. It makes it possible "to remember the user after their session expires."

And yet with just Flask (and not Flask-Login)

'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31)

is set by default to 31 days in the default_config (and it can be suitably modified). Also session.permanent can be set to make a session permanent, perhaps through:

from datetime import timedelta
from flask import session, app

@app.before_request
def make_session_permanent():
    session.permanent = True
    app.permanent_session_lifetime = timedelta(minutes=5)

Does Flask-Login's remember_me override Flask's permanent? How do they interact?

Calaf
  • 10,113
  • 15
  • 57
  • 120

1 Answers1

6

remember_me is not stored in the Flask session. It is is stored in a separate cookie who's name and expiration is handled in the Flask-Login configuration:

REMEMBER_COOKIE_NAME
The name of the cookie to store the “remember me” information in. Default: remember_token

REMEMBER_COOKIE_DURATION
The amount of time before the cookie expires, as a datetime.timedelta object or integer seconds. Default: 365 days (1 non-leap Gregorian year)

REMEMBER_COOKIE_REFRESH_EACH_REQUEST
If set to True the cookie is refreshed on every request, which bumps the lifetime. Works like Flask’s SESSION_REFRESH_EACH_REQUEST. Default: False

plus a few more REMEMBER_COOKIE_* settings to control visibility of the cookie (domain, path, encrypted connections only, and if code running in the browser can access the value).

The Flask session configuration has no bearing on this; that's a separate cookie with separate settings. The remember me functionality does not interact with Flask's permanent_session_lifetime / PERMANENT_SESSION_LIFETIME setting, the Flask SESSION_COOKIE_* configuration, or app.session.permanent, at all.

By default, Flask uses session as the session cookie name, and Flask-Login uses remember_token for the remember me cookie.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343