7

I have an Angular/Flask web app and am trying to create an admin page that will be accessed by a certain url, say "/admin_page". The page will require additional authentication and needs to issue a session timeout that is shorter than the timeout for all the other users.

However, I'm under the impression that all sessions are generated from the same variable in my flask application, which I configure as such:

app.permanent_session_lifetime = timedelta(seconds=int)

So, my question is: Is there a way to change the session timeout length for certain users without affecting the timeout length of other users' sessions?

i.e. If in my route handler for /admin_page I temporarily change the value of app.permanent_session_lifetime, create the user's session, and then restore the variable to its original value, will sessions that were created previously have their timeout value altered?

john_mc
  • 1,333
  • 11
  • 16
  • 2
    really good question. You wouldn't want to issue this session lifetime based on a user role, just the url endpoint, correct? – mmenschig Apr 05 '17 at 20:41
  • thank you. And yes that's correct – john_mc Apr 05 '17 at 20:45
  • You can also also make such a check and invalidate the session in pre-request handling like in these answers http://stackoverflow.com/questions/14367991/flask-before-request-add-exception-for-specific-route – pvg Apr 07 '17 at 19:02

2 Answers2

0

Subclass SecureCookieSessionInterface an override get_expiration_time() method where yo can set session expire time for single sessions.

Bartek Jablonski
  • 2,649
  • 24
  • 32
-1

Yes of course!

1) if it is url based lifetime session that you want:

for each view append your configuration line:

app.permanent_session_lifetime = timedelta(seconds=int)

or 

app.config['PERMANENT_SESSION_LIFETIME'] = <intended_value_in_seconds>

2) if it is on a per user basis:

I recommend creating groups and for each group assign a specific config so you can just call the config when needed.

def group_session(self, group):
    if group_session == 'visitors':
       return app.config['PERMANENT_SESSION_LIFETIME'] == <intended_value_in_seconds>
    if group_session == 'admin':
        return app.config['PERMANENT_SESSION_LIFETIME'] == <intended_value_in_seconds>
    return app.config['PERMANENT_SESSION_LIFETIME']

3) if you prefer to have a by user session lifetime, then:

if user == <chosen_name>:
    app.config['PERMANENT_SESSION_LIFETIME'] == <intended_value_in_seconds>

I hope this helps!

Ktk
  • 49
  • 6
  • 2
    The problem isn't that I don't know how to change the session lifetime variable (see the middle of my question). The problem is that, in flask, the 'permanent_session_lifetime' variable is a singleton that retroactively overwrites the timeout length of sessions previously created. Therefore, if an admin logs in (w/ a shorter session) when there are users logged in, the users' sessions will be overwritten with the admin session length and will be prematurely logged out. Therefore, what I'm asking is if I can maintain distinct values for the session lengths without this unwanted behavior – john_mc Apr 12 '17 at 17:43