While working with Flask, Flask-Login and Flask-Session, I ran into the following problem:
When clicking on a link on an external site (cross-domain), that links to a route that's secured with @login_required, flask-logins _load_user-function is unable to retrieve the user information (since no cookie was sent with the cross-domain-request). (Without using the decorator, current_user.is_authenticated appears to be False.)
(from flask_login.login_manager.py)
if user is None:
config = current_app.config
cookie_name = config.get('REMEMBER_COOKIE_NAME', COOKIE_NAME)
header_name = config.get('AUTH_HEADER_NAME', AUTH_HEADER_NAME)
has_cookie = (cookie_name in request.cookies and
session.get('_remember') != 'clear')
if has_cookie:
cookie = request.cookies[cookie_name]
user = self._load_user_from_remember_cookie(cookie)
elif self._request_callback:
user = self._load_user_from_request(request)
elif header_name in request.headers:
header = request.headers[header_name]
user = self._load_user_from_header(header)
In case the decorator was used, the request will be redirected to /?next=/protectedView. If just using current_user.is_authenticated, it will result False.
The session cookie gets re-created and overwritten every time I click on refresh. However, if I click in the URL bar and hit enter, the user loader is able to access the remember_cookie and load user data without creating a new session.
Is there any simple and convenient way to allow loading user data when entering a protected route from within another domain?
Update: I found out that setting REMEMBER_COOKIE_SECURE to None instead of Strict will cause flask-login to login the user. The link now redirects to the correct page.