Flask-Login provides user session management for Flask. It handles the commontasks of logging in, logging out, and remembering your users’ sessions overextended periods of time.

It will:

• Store the active user’s ID in the session, and let you log them in and outeasily.
• Let you restrict views to logged-in (or logged-out) users.
• Handle the normally-tricky “remember me” functionality.
• Help protect your users’ sessions from being stolen by cookie thieves.
• Possibly integrate with Flask-Principal or other authorization extensionslater on.

However, it does not:

Route One Specialized, based in East Dundee, IL, provides trucking and distribution services to a variety of customers across multiple industries. Route One Specialized is a certified Minority Business Enterprise (MBE) and one of the innovative trucking companies in the US (founded in 2014).

• Impose a particular database or other storage method on you. You areentirely in charge of how the user is loaded.
• Restrict you to using usernames and passwords, OpenIDs, or any other methodof authenticating.
• Handle permissions beyond “logged in or not.”
• Handle user registration or account recovery.

• API Documentation

Installation¶

Install the extension with pip:

Configuring your Application¶

The most important part of an application that uses Flask-Login is theLoginManager class. You should create one for your application somewhere inyour code, like this:

The login manager contains the code that lets your application and Flask-Loginwork together, such as how to load a user from an ID, where to send users whenthey need to log in, and the like.

Once the actual application object has been created, you can configure it forlogin with:

By default, Flask-Login uses sessions for authentication. This means you mustset the secret key on your application, otherwise Flask will give youan error message telling you to do so. See the Flask documentation on sessionsto see how to set a secret key.

Warning: Make SURE to use the given command in the“How to generate good secret keys” section to generate your own secret key.DO NOT use the example one.

How it Works¶

You will need to provide a user_loader callback. This callbackis used to reload the user object from the user ID stored in the session. Itshould take the unicode ID of a user, and return the corresponding userobject. For example:

It should return None (not raise an exception) if the ID is not valid.(In that case, the ID will manually be removed from the session and processingwill continue.)

Your User Class¶

The class that you use to represent users needs to implement these propertiesand methods:

is_authenticated

This property should return True if the user is authenticated, i.e. theyhave provided valid credentials. (Only authenticated users will fulfillthe criteria of login_required.)

is_active

This property should return True if this is an active user - in additionto being authenticated, they also have activated their account, not beensuspended, or any condition your application has for rejecting an account.Inactive accounts may not log in (without being forced of course).

is_anonymous

This property should return True if this is an anonymous user. (Actualusers should return False instead.)

get_id()

This method must return a unicode that uniquely identifies this user,and can be used to load the user from the user_loadercallback. Note that this must be a unicode - if the ID is nativelyan int or some other type, you will need to convert it to unicode.

To make implementing a user class easier, you can inherit from UserMixin,which provides default implementations for all of these properties and methods.(It’s not required, though.)

Login Example¶

Once a user has authenticated, you log them in with the login_userfunction.

Warning: You MUST validate the value of the next parameter. If you do not,your application will be vulnerable to open redirects. For an exampleimplementation of is_safe_url see this Flask Snippet.

It’s that simple. You can then access the logged-in user with thecurrent_user proxy, which is available in every template:

Views that require your users to be logged in can bedecorated with the login_required decorator:

When the user is ready to log out:

They will be logged out, and any cookies for their session will be cleaned up.

Customizing the Login Process¶

By default, when a user attempts to access a login_required view withoutbeing logged in, Flask-Login will flash a message and redirect them to thelog in view. (If the login view is not set, it will abort with a 401 error.)

The name of the log in view can be set as LoginManager.login_view.For example:

The default message flashed is Pleaselogintoaccessthispage. Tocustomize the message, set LoginManager.login_message:

To customize the message category, set LoginManager.login_message_category:

When the log in view is redirected to, it will have a next variable in thequery string, which is the page that the user was trying to access. Alternatively,if USE_SESSION_FOR_NEXT is True, the page is stored in the session under thekey next.

If you would like to customize the process further, decorate a function withLoginManager.unauthorized_handler:

Login using Authorization header¶

Caution Maltego trial license.

This method will be deprecated; use the request_loaderbelow instead.

Sometimes you want to support Basic Auth login using the Authorizationheader, such as for api requests. To support login via header you will needto provide a header_loader callback. This callback should behavethe same as your user_loader callback, except that it acceptsa header value instead of a user id. For example:

By default the Authorization header’s value is passed to yourheader_loader callback. You can change the header used withthe AUTH_HEADER_NAME configuration.

Custom Login using Request Loader¶

Sometimes you want to login users without using cookies, such as using headervalues or an api key passed as a query argument. In these cases, you should usethe request_loader callback. This callback should behave thesame as your user_loader callback, except that it accepts theFlask request instead of a user_id.

For example, to support login from both a url argument and from Basic Authusing the Authorization header:

Anonymous Users¶

By default, when a user is not actually logged in, current_user is set toan AnonymousUserMixin object. It has the following properties and methods:

• is_active and is_authenticated are False
• is_anonymous is True
• get_id() returns None

If you have custom requirements for anonymous users (for example, they needto have a permissions field), you can provide a callable (either a class orfactory function) that creates anonymous users to the LoginManager with:

Remember Me¶

By default, when the user closes their browser the Flask Session is deletedand the user is logged out. “Remember Me” prevents the user from accidentallybeing logged out when they close their browser. This does NOT meanremembering or pre-filling the user’s username or password in a login formafter the user has logged out.

“Remember Me” functionality can be tricky to implement. However, Flask-Loginmakes it nearly transparent - just pass remember=True to the login_usercall. A cookie will be saved on the user’s computer, and then Flask-Loginwill automatically restore the user ID from that cookie if it is not in thesession. The amount of time before the cookie expires can be set with theREMEMBER_COOKIE_DURATION configuration or it can be passed to login_user.The cookie is tamper-proof, so if the user tampers with it (i.e.inserts someone else’s user ID in place of their own), the cookie will merelybe rejected, as if it was not there.

That level of functionality is handled automatically. However, you can (andshould, if your application handles any kind of sensitive data) provideadditional infrastructure to increase the security of your remember cookies.

Alternative Tokens¶

Using the user ID as the value of the remember token means you must change theuser’s ID to invalidate their login sessions. One way to improve this is to usean alternative user id instead of the user’s ID. For example:

Then the get_id method of your User class would return thealternative id instead of the user’s primary ID:

This way you are free to change the user’s alternative id to a new randomlygenerated value when the user changes their password, which would ensure theirold authentication sessions will cease to be valid. Note that the alternativeid must still uniquely identify the user… think of it as a second user ID.

Fresh Logins¶

When a user logs in, their session is marked as “fresh,” which indicates thatthey actually authenticated on that session. When their session is destroyedand they are logged back in with a “remember me” cookie, it is marked as“non-fresh.” login_required does not differentiate between freshness, whichis fine for most pages. However, sensitive actions like changing one’spersonal information should require a fresh login. (Actions like changingone’s password should always require a password re-entry regardless.)

fresh_login_required, in addition to verifying that the user is loggedin, will also ensure that their login is fresh. If not, it will send them toa page where they can re-enter their credentials. You can customize itsbehavior in the same ways as you can customize login_required, by settingLoginManager.refresh_view, needs_refresh_message, andneeds_refresh_message_category:

Or by providing your own callback to handle refreshing:

To mark a session as fresh again, call the confirm_login function.

Cookie Settings¶

The details of the cookie can be customized in the application settings.

Session Protection¶

While the features above help secure your “Remember Me” token from cookiethieves, the session cookie is still vulnerable. Flask-Login includes sessionprotection to help prevent your users’ sessions from being stolen.

You can configure session protection on the LoginManager, and in the app’sconfiguration. If it is enabled, it can operate in either basic or strongmode. To set it on the LoginManager, set thesession_protection attribute to 'basic' or 'strong':

Or, to disable it:

By default, it is activated in 'basic' mode. It can be disabled in theapp’s configuration by setting the SESSION_PROTECTION setting to None,'basic', or 'strong'.

When session protection is active, each request, it generates an identifierfor the user’s computer (basically, a secure hash of the IP address and useragent). If the session does not have an associated identifier, the onegenerated will be stored. If it has an identifier, and it matches the onegenerated, then the request is OK.

If the identifiers do not match in basic mode, or when the session ispermanent, then the session will simply be marked as non-fresh, and anythingrequiring a fresh login will force the user to re-authenticate. (Of course,you must be already using fresh logins where appropriate for this to have aneffect.)

If the identifiers do not match in strong mode for a non-permanent session,then the entire session (as well as the remember token if it exists) isdeleted.

Disabling Session Cookie for APIs¶

When authenticating to APIs, you might want to disable setting the FlaskSession cookie. To do this, use a custom session interface that skips savingthe session depending on a flag you set on the request. For example:

This prevents setting the Flask Session cookie whenever the user authenticatedusing your header_loader.

Localization¶

By default, the LoginManager uses flash to display messages when a useris required to log in. These messages are in English. If you requirelocalization, set the localize_callback attribute of LoginManager to afunction to be called with these messages before they’re sent to flash,e.g. gettext. This function will be called with the message and its returnvalue will be sent to flash instead.

API Documentation¶

This documentation is automatically generated from Flask-Login’s source code.

Configuring Login¶

This object is used to hold the settings used for logging in. Instancesof LoginManager are not bound to specific apps, so you cancreate one in the main body of your code and then bind it to yourapp in a factory function.

This method has been deprecated. Please useLoginManager.init_app() instead.

This is called when the user is required to log in. If you register acallback with LoginManager.unauthorized_handler(), then it willbe called. Otherwise, it will take the following actions:

• Flash LoginManager.login_message to the user.
• If the app is using blueprints find the login view forthe current blueprint using blueprint_login_views. If the appis not using blueprints or the login view for the currentblueprint is not specified use the value of login_view.
• Redirect the user to the login view. (The page they wereattempting to access will be passed in the next querystring variable, so you can redirect there if present insteadof the homepage. Alternatively, it will be added to the sessionas next if USE_SESSION_FOR_NEXT is set.)

If LoginManager.login_view is not defined, then it will simplyraise a HTTP 401 (Unauthorized) error instead.

This should be returned from a view or before/after_request function,otherwise the redirect will have no effect.

This is called when the user is logged in, but they need to bereauthenticated because their session is stale. If you register acallback with needs_refresh_handler, then it will be called.Otherwise, it will take the following actions:

• Flash LoginManager.needs_refresh_message to the user.
• Redirect the user to LoginManager.refresh_view. (The pagethey were attempting to access will be passed in the nextquery string variable, so you can redirect there if presentinstead of the homepage.)

If LoginManager.refresh_view is not defined, then it willsimply raise a HTTP 401 (Unauthorized) error instead.

This should be returned from a view or before/after_request function,otherwise the redirect will have no effect.

General Configuration

This sets the callback for reloading a user from the session. Thefunction you set should take a user ID (a unicode) and return auser object, or None if the user does not exist.

This function has been deprecated. Please useLoginManager.request_loader() instead.

This sets the callback for loading a user from a header value.The function you set should take an authentication token andreturn a user object, or None if the user does not exist.

A class or factory function that produces an anonymous user, whichis used when no one is logged in.

unauthorized Configuration

The name of the view to redirect to when the user needs to log in. (Thiscan be an absolute URL as well, if your authentication machinery isexternal to your application.)

The message to flash when a user is redirected to the login page.

This will set the callback for the unauthorized method, which amongother things is used by login_required. It takes no arguments, andshould return a response to be sent to the user instead of theirnormal view.

needs_refresh Configuration

The name of the view to redirect to when the user needs toreauthenticate.

The message to flash when a user is redirected to the reauthenticationpage.

This will set the callback for the needs_refresh method, which amongother things is used by fresh_login_required. It takes no arguments,and should return a response to be sent to the user instead of theirnormal view.

Login Mechanisms¶

A proxy for the current user.

This returns True if the current login is fresh.

Logs a user in. You should pass the actual user object to this. If theuser’s is_active property is False, they will not be logged inunless force is True.

This will return True if the log in attempt succeeds, and False ifit fails (i.e. because the user is inactive).

Logs a user out. (You do not need to pass the actual user.) This willalso clean up the remember me cookie if it exists.

This sets the current session as fresh. Sessions become stale when theyare reloaded from a cookie.

Protecting Views¶

If you decorate a view with this, it will ensure that the current user islogged in and authenticated before calling the actual view. (If they arenot, it calls the LoginManager.unauthorized callback.) Forexample:

If there are only certain times you need to require that your user islogged in, you can do so with:

…which is essentially the code that this function adds to your views.

It can be convenient to globally turn off authentication when unit testing.To enable this, if the application configuration variable LOGIN_DISABLEDis set to True, this decorator will be ignored.

Note

Per W3 guidelines for CORS preflight requests,HTTP OPTIONS requests are exempt from login checks.

If you decorate a view with this, it will ensure that the current user’slogin is fresh - i.e. their session was not restored from a ‘remember me’cookie. Sensitive operations, like changing a password or e-mail, shouldbe protected with this, to impede the efforts of cookie thieves.

If the user is not authenticated, LoginManager.unauthorized() iscalled as normal. If they are authenticated, but their session is notfresh, it will call LoginManager.needs_refresh() instead. (In thatcase, you will need to provide a LoginManager.refresh_view.)

Behaves identically to the login_required() decorator with respectto configutation variables.

Note

Per W3 guidelines for CORS preflight requests,HTTP OPTIONS requests are exempt from login checks.

User Object Helpers¶

This provides default implementations for the methods that Flask-Loginexpects user objects to have.

This is the default object for representing an anonymous user.

Utilities¶

Creates a URL for redirecting to a login page. If only login_view isprovided, this will just return the URL for it. If next_url is provided,however, this will append a next=URL parameter to the query stringso that the login view can redirect back to that URL. Flask-Login’s defaultunauthorized handler uses this function when redirecting to your login url.To force the host name used, set FORCE_HOST_FOR_REDIRECTS to a host. Thisprevents from redirecting to external sites if request headers Host orX-Forwarded-For are present.

Signals¶

See the Flask documentation on signals for information on how to use thesesignals in your code. Download free cleanmymac 1.10.4 apps for mac.

Sent when a user is logged in. In addition to the app (which is thesender), it is passed user, which is the user being logged in.

Sent when a user is logged out. In addition to the app (which is thesender), it is passed user, which is the user being logged out.

Sent when a user’s login is confirmed, marking it as fresh. (It is notcalled for a normal login.)It receives no additional arguments besides the app.

Sent when the unauthorized method is called on a LoginManager. Itreceives no additional arguments besides the app.

Sent when the needs_refresh method is called on a LoginManager. Itreceives no additional arguments besides the app.

Sent whenever session protection takes effect, and a session is eithermarked non-fresh or deleted. It receives no additional arguments besidesthe app.

• RouteOne Unify Your Sales and Finance Channels

  routeone.com

  https://www.routeone.com/

  RouteOne’s Digital Retail Services enables your customers to work through your vehicle buying process quickly and easily – from the web or on any mobile device. Digital Retail Solutions to Enhance Today's Customer Experience. Deliver more value with your deals. Ensure aftermarket products are presented in a consistent manner.

  DA:40PA:61MOZ Rank:1

• Reset Password - RouteOne

  routeone.net

  https://www.routeone.net/Web/ForgotPassword

  If you require assistance providing this information, please contact your Finance Source or Dealer System Administrator or RouteOne customer support at 1-866-ROUTE01 (1-866-768-8301), option 3, in the U.S. or 1-877-556-0003 in Canada. You may also send an email to [email protected]

  DA:31PA:24MOZ Rank:1

• RouteOne - Download.com

  cnet.com

  https://download.cnet.com/developer/routeone/i-10119366

  Find RouteOne software downloads at CNET Download.com, the most comprehensive source for safe, trusted, and spyware-free downloads on the Web

  DA:5PA:62MOZ Rank:65

• routeone dealer login RouteOne Unify Your Sales and ..

  linkddl.com

  https://www.linkddl.com/search/routeone-dealer-login

  The independent used car dealer who is looking for top notch dealer management system functionalities at the most competitive price in the market. Platform that helps automotive dealers and vehicle financiers with credit application, compliance, contract management and workflow management.

  DA:80PA:56MOZ Rank:43

• DealerCONNECT Login

  chrysler.com

  https://dealerconnect.chrysler.com/portal/Controller/Portal

  FCA US LLC DealerCONNECT. Access to FCA US LLC's computer systems is controlled. UNAUTHORIZED ACCESS OR USE IS PROHIBITED. Authorized users are hereby informed that FCA US LLC management may monitor this use and ensure compliance. FCA US LLC may terminate access privileges, take DISCIPLINARY ACTION and/or institute civil or criminal proceedings ..

  DA:37PA:9MOZ Rank:91

• RouteOne LinkedIn

  linkedin.com

  https://www.linkedin.com/company/routeone

  In addition, RouteOne enables dealer choice across a wide variety of best-in-class providers through open integrations with over 135 DSPs. For additional information, please contact RouteOne ..

  DA:92PA:66MOZ Rank:66

• routeone NUMBER ONE FOR COACH, BUS & MINIBUS - routeone news

  route-one.net

  https://www.route-one.net/

  routeone magazine is the indispensable resource for professional UK bus and coach operators. The home of vehicle sales and the latest bus and coach job vacancies, routeone connects professional PCV operators with complete and unrivalled news coverage.

  DA:49PA:83MOZ Rank:51

• RouteOne LLC - Company Profile and News - Bloomberg Markets

  bloomberg.com

  https://www.bloomberg.com/profile/company/863851Z:US

  Company profile page for RouteOne LLC including stock price, company news, press releases, executives, board members, and contact information

  DA:34PA:24MOZ Rank:30

• DealerCenter vs RouteOne - 2020 Feature and Pricing Comparison

  capterra.com

  https://www.capterra.com/auto-dealer-software/compare/71935-147575/DealerCenter-vs-RouteOne

  The independent used car dealer who is looking for top notch dealer management system functionalities at the most competitive price in the market. Platform that helps automotive dealers and vehicle financiers with credit application, compliance, contract management and workflow management.

  DA:13PA:97MOZ Rank:14