"Remember me" options on session should leave the cookie for a longer

time (e.g. one year), it should be browser-session-only otherwise
This commit is contained in:
Fabio Manganiello 2019-07-23 00:31:17 +02:00
parent a16fc65d37
commit 426f064459
2 changed files with 7 additions and 3 deletions

View file

@ -38,14 +38,16 @@ def login():
username = request.form.get('username') username = request.form.get('username')
password = request.form.get('password') password = request.form.get('password')
remember = request.form.get('remember') remember = request.form.get('remember')
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365) \
if remember else None
session = user_manager.create_user_session(username=username, password=password, session = user_manager.create_user_session(username=username, password=password,
expires_at=datetime.datetime.utcnow() + datetime.timedelta(days=1) expires_at=expires)
if not remember else None)
if session: if session:
redirect_target = redirect(redirect_page, 302) redirect_target = redirect(redirect_page, 302)
response = make_response(redirect_target) response = make_response(redirect_target)
response.set_cookie('session_token', session.session_token) response.set_cookie('session_token', session.session_token, expires=expires)
return response return response
return render_template('login.html', utils=HttpUtils) return render_template('login.html', utils=HttpUtils)

View file

@ -165,6 +165,8 @@ def _authenticate_csrf_token():
if user_session_token: if user_session_token:
user, session = user_manager.authenticate_user_session(user_session_token) user, session = user_manager.authenticate_user_session(user_session_token)
else:
return False
if user is None: if user is None:
return False return False