Flask-login:请记住，如果将login_manager的session_protection设置为"strong"，则我无法工作. [英] Flask-login: remember me not working if login_manager's session_protection is set to "strong"

问题描述

我正在使用flask-login将会话管理集成到我的flask应用程序中.但是，如果我将 session_protection 设置为 strong ，记住我"功能将不起作用，但是，如果将其设置为 基本 .

i am using flask-login to integrate session management in my flask app. But the remember me functionality doesn't work if i set the session_protection to strong, however, it works absolutely fine if it's set to basic.

user_loader:

user_loader:

@login_manager.user_loader
def load_user(email):
    user = get_user_with_email(email)
    if user:
        return User(user.id, user.email, user.role_id, user.createtime, user.updatetime)

要从数据库中获取用户:

to fetch user from the database:

from psycopg2.extras import NamedTupleCursor

def get_user_with_email(email):
    cursor = get_db().cursor(cursor_factory=NamedTupleCursor)
    cursor.execute('SELECT * FROM users WHERE email = %s', (email,))
    return cursor.fetchone()

和我的用户类别:

class User(UserMixin):
    def __init__(self, username, email, role_id, createtime, updatetime):
        self.username = username
        self.email = email
        self.role_id = role_id
        self.createtime = createtime
        self.updatetime = updatetime

    @property
    def password(self):
        raise AttributeError('password is not a readable property')

    @password.setter
    def password(self, password):
        self._password = generate_password_hash(password)

    def verify_password(self, password):
        return check_password_hash(self._password, password)

    @property
    def is_active(self):
        """All users are active"""
        return True

    @property
    def is_anonymous(self):
        """Always return False, anonymous users aren't supported"""
        return False

    def get_id(self):
        """Return username for flask_login to use it as user id"""
        return self.email

    @property
    def is_authenticated(self):
        """All users are authenticated"""
        return True

    def register(self, password):
        self.password = password
        # Todo: complete the registration logic

    def __repr__(self):
        return 'User(username={0}, email={1})'.format(self.username, self.email)

我完全按照文档中的说明进行操作，但是在受到 strong 保护的情况下，浏览器关闭时用户仍然注销.我不知道怎么了.

I am doing exactly what is mentioned in the documentation, but still the user logs out when the browser closes in case of strong protection. i am not sure what's going wrong.

我将不胜感激，谢谢！

推荐答案

您没有做错任何事情，这是将会话保护设置为强"时所希望的行为.

You are not doing anything wrong, that is desired behavior when session protection is set to strong.

基本上，将会话保护设置为(基本或强)时，在用户登录后，将计算会话标识符(基于用户IP和用户user-agent)并进行存储.然后根据每个新请求进行计算，并与存储的版本进行检查.

Basically, when session protection is set (to basic or strong), after user logs in, session identifier is computed (based on users IP and users user-agent) and stored. And it is then computed upon each new request and checked with stored version.

浏览器重新启动后，为了加载用户，Flask-Login将在Remember_me cookie旁边检查会话ID是否与存储的值匹配.但是由于浏览器重新启动，因此不会存储会话ID值，并且该测试也不会通过.因此，这两种情况之一都会发生.

After browser restart in order to load a user Flask-Login will check, beside the remember_me cookie, if the session id matches stored value. But since browser is restarted there won't be stored session id value and this test won't pass.So one of these two things will happen then.

• 如果保护设置为基本"，则会话将被标记为不新鲜，并且会从记住我的cookie中加载用户.

• If the protection is set to basic, session will be flagged as not fresh and user will be loaded from remember me cookie.

如果保护设置为强，则不会加载用户，请记住，cookie将被删除.

If the protection is set to strong the user won't be loaded and remember me cookie will be deleted.

如果使用基本设置，则很好的做法是使用fresh_login_required装饰用于处理敏感操作(例如密码更改)的视图功能.如官方文档所述:

It is good practice, if basic setting is used, to decorate view function that handles sensitive operations(such as password change) with fresh_login_required. As stated in the official docs:

flask_login.fresh_login_required(func)如果您以此装饰一个视图，它将确保当前用户的登录名是最新的-也就是说，他们的会话未从记住我" cookie中恢复.与此相关的敏感操作(例如更改密码或电子邮件)应受到保护，以阻止cookie小偷的努力.

flask_login.fresh_login_required(func) If you decorate a view with this, it will ensure that the current user’s login is fresh - i.e. their session was not restored from a ‘remember me’ cookie. Sensitive operations, like changing a password or e-mail, should be protected with this, to impede the efforts of cookie thieves.

https://flask-login.readthedocs.io/zh-CN/latest/_modules/flask_login/utils.html#fresh_login_required

这篇关于Flask-login:请记住，如果将login_manager的session_protection设置为"strong"，则我无法工作.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！