Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remember cookie set on page loads when REMEMBER_COOKIE_REFRESH_EACH_REQUEST is set to True, regardless of whether a remember cookie was set when the user logged in #824

Open
ljsebald opened this issue Nov 14, 2023 · 0 comments
Open

Remember cookie set on page loads when REMEMBER_COOKIE_REFRESH_EACH_REQUEST is set to True, regardless of whether a remember cookie was set when the user logged in #824

ljsebald opened this issue Nov 14, 2023 · 0 comments
Labels
Bug

Comments

@ljsebald
Copy link

ljsebald commented Nov 14, 2023
edited
Loading

Describe the bug
A remember cookie is set for users on every page load if the REMEMBER_COOKIE_REFRESH_EACH_REQUEST configuration option is set to True, even if a remember cookie was not set when the user is logged in initially by calling the login_user function.

To Reproduce
Steps to reproduce the behavior:

  1. Set app.config['REMEMBER_COOKIE_REFRESH_EACH_REQUEST'] = True.
  2. Call login_user(..., remember=False)
  3. Observe that the remember cookie is set.

Expected behavior
A remember cookie should not be set if the user is logged in with remember=False. Or the documentation for that configuration option should emphasize that setting the option to True will cause a remember cookie to always be set.

Additional context
I believe that the problem is caused by the fact that login_manager._update_remember_cookie will set the session["_remember"] to "set" if that variable is not set in the user's session and the configuration option mentioned above is also set. When calling login_user with remember=False, that variable is not set in the user's session at all.
Arcane-Ryn added a commit to Arcane-Ryn/flask-login that referenced this issue Aug 10, 2024
@Arcane-Ryn
fixed cookie refresh bug
0754f68 
Issue maxcountryman#824. Before, if a user was logged in with the login_user function when the remember parameter was set to false, their cookies would still be refreshed if the "REMEMBER_COOKIE_REFRESH_EACH_REQUEST" configuration option was set to true. This happens because if the login_user function has the remember parameter be false, it doesn't assign session["_rememeber"] any value. When session["_rememeber"] doesn't have any value and the "REMEMBER_COOKIE_REFRESH_EACH_REQUEST" configuration option is set to true, the _update_remember_cookie function sets the session["_rememeber"] value to "set". This fix makes it so if the login_user function is given false for the remember parameter, instead of leaving session["_remember"] empty, it  sets the value to "unset".
@Arcane-Ryn Arcane-Ryn mentioned this issue Aug 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ljsebald @alanhamlett