From 0d147ad7f6edb5c740008b8d411e10d8e42f4a78 Mon Sep 17 00:00:00 2001
From: "B. Stack" <bgstack15@gmail.com>
Date: Sun, 27 Jun 2021 18:08:47 -0400
Subject: clear session at logout

   this feature is not well-documented in flask.
---
 session_app.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'session_app.py')

diff --git a/session_app.py b/session_app.py
index 50a52fd..1743b2a 100755
--- a/session_app.py
+++ b/session_app.py
@@ -15,12 +15,11 @@
 #    _unauthorized_kerberos meta redirect from https://billstclair.com/html-redirect2.html
 #    preserve POST with code 307 https://stackoverflow.com/a/15480983/3569534
 # Improve:
-#    remove session info, when logging out?
 # Run:
 #    FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
 # Dependencies:
-#    apt-get install python3-flask
-#    pip3 install Flask-kerberos kerberos
+#    apt-get install python3-flask python3-kerberos
+#    pip3 install Flask-kerberos
 
 from flask import Flask, Response, redirect, url_for, render_template, request, _request_ctx_stack as stack, make_response, session
 from flask_kerberos import init_kerberos, requires_authentication, _unauthorized, _forbidden, _gssapi_authenticate
@@ -335,8 +334,8 @@ def handle_login_ldap_from_non_ldap(request):
 @app.route("/logout/")
 def logout():
    resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("index")}">logged out')
-   # Doing anything with session here leaves a cookie.
-   #session['user']=""
+   # not documented but is found on the Internet in a few random places:
+   session.clear()
    resp.set_cookie('user','',expires=0)
    resp.set_cookie('type','',expires=0)
    resp.set_cookie('session','',expires=0)
-- 
cgit