"Remember me" options on session should leave the cookie for a longer

time (e.g. one year), it should be browser-session-only otherwise
2019-07-23 00:31:17 +02:00 · 2019-07-23 00:31:17 +02:00 · 426f064459
parent a16fc65d37
commit 426f064459
2 changed files with 7 additions and 3 deletions
--- a/platypush/backend/http/app/routes/login.py
+++ b/platypush/backend/http/app/routes/login.py
@ -38,14 +38,16 @@ def login():
        username = request.form.get('username')
        password = request.form.get('password')
        remember = request.form.get('remember')
+        expires = datetime.datetime.utcnow() + datetime.timedelta(days=365) \
+            if remember else None
+
        session = user_manager.create_user_session(username=username, password=password,
-                                                   expires_at=datetime.datetime.utcnow() + datetime.timedelta(days=1)
-                                                   if not remember else None)
+                                                   expires_at=expires)

        if session:
            redirect_target = redirect(redirect_page, 302)
            response = make_response(redirect_target)
-            response.set_cookie('session_token', session.session_token)
+            response.set_cookie('session_token', session.session_token, expires=expires)
            return response

    return render_template('login.html', utils=HttpUtils)
--- a/platypush/backend/http/app/utils.py
+++ b/platypush/backend/http/app/utils.py
@ -165,6 +165,8 @@ def _authenticate_csrf_token():

    if user_session_token:
        user, session = user_manager.authenticate_user_session(user_session_token)
+    else:
+        return False

    if user is None:
        return False