88
votes

I'm building a website with flask where users have accounts and are able to login. I'm using flask-principal for the loging in part and the role management. Is there a way of making the user's session expire after say 5 minutes or 10 minutes? I was not able to find that in flask documentation or, flask-principal's documentation.

I thought of a way of doing it by hand, set a variable server-side with a time tag at the moment of login and at the next action the user takes, the server verifies the time-delta on that timestamp and deletes the session.

2
Do you want expire user session after inactivity of 5 or 10 minutes or simply expire irrespective of activity level?codecool
for inactivity i will have to implement that. just to expire when the browser is closed, or 24 hours. It does not expire at all right now.verrochio
To make a session expire relative to activity: stackoverflow.com/questions/19760486/…zengr

2 Answers

128
votes

flask sessions expire once you close the browser unless you have a permanent session. You can possibly try the following:

from datetime import timedelta
from flask import session, app

@app.before_request
def make_session_permanent():
    session.permanent = True
    app.permanent_session_lifetime = timedelta(minutes=5)

By default in Flask, permanent_session_lifetime is set to 31 days.

32
votes

Yes, We should set

session.permanent = True
app.permanent_session_lifetime = timedelta(minutes=5)

But I don't think it should be set at app.before_request, This will lead to set them too may times.

The permanent_session_lifetime is a Basics Configuration, so it should be set at you configure the app:

 from datetime import timedelta
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'xxxxxxxxx'
 app.config['PERMANENT_SESSION_LIFETIME'] =  timedelta(minutes=5)

The session will created for each client, seperated from other clients. So, I think the best place to set session.permanent is when you login():

@app.route('/login', methods=['GET', 'POST'])
def login():
    #After Verify the validity of username and password
    session.permanent = True