Understanding Flask-Login Tokens Tutorial

When I was trying to implement Flask-Login into my first Flask application i had difficulty understanding from the flask-login docs how to implement the Authorization Tokens required to use the Remember Me feature. I found another flask plugin package called Flask-Security, which I used to base the below example off of. This example extends the basic example that the Flask-Login Documentation gives and adds support for the get_auth_token and the token_loader methods.

What is what?

  • Flask is a microframework for Python based on Werkzeug, Jinja 2 and good intentions.  Simply Flask is a lightweight framework used for serving dynamic web pages (applications) on the internet.  More importantly Flask is Fun.  This example uses Flask version 0.9.
  • Flask-Login is a Python module which helps add user session management for Flask.  This example uses Flask-Login version 0.1.3.
  • itsdangerous is a Python module which helps securely sign cookies in this example.  This example uses itsdangerous version 0.17.

Flask-Login Alternative Tokens

In order to implement Flask-Login alternative tokens, which are recommended by Flask-Login you need to implement two methods, get_auth_token in your User Class and token_loader callback method.


In our user class we need to implement a get_auth_token method which will return a secure token string which will be stored in a cookie on the users computer.  The cookie will be used when a user returns to the your site.  Flask-Login will load the token and ask us to decode and return a User class with the token_loader function.  Because the token is stored on the users computer we need to make it secure.  We will use itsdangerous to do that for us.  We will combine the username and hashed password into a list then pass that to itsdangerous to encrypt using our flask secret_key.

We store the password hash so that if a user is logged in on multiple computers/browsers and changes their password, it will invalidate the cookie token.


The token_loader callback needs to take the token string passed to it and decode it.  We also use this method to enforce the expiration date of the token as explained in the code below.  Because we stored both the username and password hash in the token, once we decode it we need to check and that the username and password match.


  • Its important to note that the Flask Session Cookie and the Flask-Login Cookie are vulnerable to attack.  Although the cookies are encrypted and relatively safe from attack a user who is sniffing network traffic can easily copy the cookies and impersonate the user.  The only way to prevent this kind of attack is to use secure sockets (https) when sending back and forth the cookies.  This example does not cover that scope.
  • This example does use a password salt and hash to store the users passwords.   It is important to never store a users plain text password, that way if your system is ever compromised someone can still not access users data even with the stored password hash.  Wikipedia, readwrite.com

 Complete Working Example