We're using flask-login to handle logins to our webpage. We expect it to be very strict with sessions so when a browser is closed, the user is prompted to log back in again.
We expect user would be sent to the login page for every url, and the session won't persist.
We require strict protection
login_manager.session_protection = "strong"
login_manager.refresh_view = "users.login"
Refresh view is used as the docs state:
refresh_view
The name of the view to redirect to when the user needs to reauthenticate
When the user closes their browser and begins a new session, they are not prompted to login, instead they're given a page where href's redirect to the login page, and other links give permission errors. This isn't optimal.
Internally, the way redirects are accomplished is with flask_login is by using the unauthorized() function in the login_manager.py file, which uses the request library to grab the request url of the page the user is trying to access. When an user is logged out trying to access the page it will properly grab the correct url and redirect the user to the variable assigned to the login_view setting. However, when session protection is set to strong and the user quits the application and redirects to the page, the unauthorized() function is not being executed.
So why aren't they sent to the login page every new browser instance?
ExpiresorMax-Agedirective set in cookie? If yes, cookie with a session lifetime should have none of those two directives. – Oluwafemi Sule