Flask-Login 0.1 发布
I am proud to announce the release of Flask-Login 0.1. It provides user session management for Flask.
- On PyPI: http://pypi.python.org/pypi/Flask-Login/0.1
- On Bitbucket: https://bitbucket.org/leafstorm/flask-login/
- The docs: http://packages.python.org/Flask-Login/
Basically, it handles logging in, logging out, remembering your users, and attempting to protect them from cookie thieves. (That last is especially tricky.) I patterned most of the API design after django.contrib.auth, but it is not tied to any database or permissions system.
Securely storing session data
One idea that I had for Flask-Login that I decided not to implement in the first release was rotating “Remember Me” tokens. The concept behind that is instead of having a single “Remember Me” token that lasts for all time (unless your cookie expires), a unique token is generated for each user session. When a user logs in and “redeems” their token, a the old token is deleted and a new one is generated.
The reason I decided not to implement it is because I would basically have to implement a complete storage system for the tokens, which would be a lot of work for just one extension. So, one idea that I may pursue in the future is “Flask-KVStore”: a generic interface to key/value stores for session data. (“Session data” is defined as any data that is (a) transient, (b) shouldn’t be stored on the client, and (c) somewhat expendable.)
It would be a bit more structured than just a key/value store, though. Instead of just stashing the data in the store, one would obtain a “collection” (for example,
remember_tokens) and stash the data as keys within the collection. (The ideal backend for this would be Redis, but the whole purpose of having an abstration is so that if you don’t have Redis or whatever available, you can still use it.)
Anyway, that is mostly just brainstorming, and probably quite a ways off. (Still, if you think that is a good idea, let me know.)