[FIXED] Flask-Login > 0.6.0 not working on Azure Web App Deployment

Issue

I have an Azure webapp running a Flask Application. I have no extra workers, just running it on default settings.

Since moving from Flask-Login 0.6.0 to 0.6.3 it is no longer logging out when it is expired.

I have my init.py file

def create_app(config_env=os.getenv("ENV"), register_blueprints=True):

    app = Flask(__name__)

    app.config.from_object(config[config_env])

    db.init_app(app)
    lm.init_app(app)
    lm.login_view = "auth.login"
    lm.login_message_category = "info"
    lm.refresh_view = "auth.login"
    lm.needs_refresh_message = "Session timedout, please re-login"
    lm.login_message_category = "info"

    @app.before_request
    def my_func():
        session.modified = True

    @app.before_request
    def before_request():
        session.permanent = True
        current_app.permanent_session_lifetime = timedelta(minutes=1)

and I have my model.py file:

@lm.user_loader
def load_user(user_id):
    return PortalUsers.query.get(int(user_id))

class PortalUsers(UserMixin, db.Model):
    __tablename__ = "tbl_PortalUsers"

    id = db.Column("Staff_Id", db.Integer, primary_key=True)
    first_name = db.Column("First_Name", db.String(100, "SQL_Latin1_General_CP1_CI_AS"))
    last_name = db.Column("Last_Name", db.String(100, "SQL_Latin1_General_CP1_CI_AS"))
    full_name = db.Column(
        db.String(201, "SQL_Latin1_General_CP1_CI_AS"),
        db.Computed("(([First_Name]+' ')+[Last_Name])", persisted=False),
    )
    phone = db.Column("Phone", db.String(10, "SQL_Latin1_General_CP1_CI_AS"))
    email = db.Column("Email", db.String(50, "SQL_Latin1_General_CP1_CI_AS"))
    role_type = db.Column("Role_Type", db.String(20, "SQL_Latin1_General_CP1_CI_AS"))
    portal_active = db.Column("Portal_Active", db.Integer)
    date_created = db.Column("Date_Created", db.DateTime, default=datetime.utcnow)
    created_by = db.Column("Created_By", db.String(100, "SQL_Latin1_General_CP1_CI_AS"))
    last_updated = db.Column("Last_Updated", db.DateTime, default=datetime.utcnow)
    last_updated_by = db.Column(
        "Last_Updated_By", db.String(100, "SQL_Latin1_General_CP1_CI_AS")
    )
    date_deleted = db.Column("Date_Deleted", db.DateTime)
    time_zone_id = db.Column(
        "TimeZoneId",
        db.Integer,
        db.ForeignKey("tbl_TimeZones.id"),
        unique=False,
        nullable=False,
        default=1,
    )
    password = db.Column("Password", db.String(64), nullable=False)

On my localhost, everything works as expected, and after 1 minute, if I refresh my link I am redirected to the login page with a flashed message.

On production in my Azure Web App I am not redirected. The session cookie on production does change. for example:

and after the 1 minute:

I am not sure where to troubleshoot. Is it something to do with Azure? Or is it a Flag I am missing for FLask-Login? Or is it something actually to do with FLask? Any help to point me in the correct direction would be greatly appreciated.

UPDATE

Looking at my session Cookies on localhost, I get the expected session on login, and on expiry. As an example the expired session cookie is:

eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlLCJjc3JmX3Rva2VuIjoiYWFhNTE1ZTEwNDg5OGZlYzMwZDk1ZDFkY2IyN2ZkYWJiOTI0M2Y3MyJ9.ZU2zrQ.-GCaBYI8ksvVBRjylRgLM2Cmst0

which decodes to:

{
    "_fresh": false,
    "_permanent": true,
    "csrf_token": "aaa515e104898fec30d95d1dcb27fdabb9243f73"
}

But in production on expiry or on logout I get a session cookie like: eyJfcGVybWFuZW50Ijp0cnVlfQ.ZU20qQ.tyNVkqrhHbHtDwQUU2PMc7p6Pco

which gives me [ERR: Not JSON data]

This leads me to believe it has something to do with Flask... Since Flask-Login can't read the invalid session. However, not seeing much in the community about it, so I think I must be still doing something incorrectly.

Solution

I found the answer in a round about way. But essentially I found similar aspects to what was going on in this post:

CSRF Token Error when using gunicorn and Flask

Directly from their post:

The short answer : use :

with app.app_context(): your code instead of :

app.app_context().push() which is never closed

changing this in my code:

Original:

from application import create_app

app = create_app()
app.app_context().push()

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5008, debug=True)
    #app.run()
    

to

from application import create_app

app = create_app()
with app.app_context():

    if __name__ == "__main__":
        app.run(host='0.0.0.0', port=5008, debug=True)
        #app.run()

now when I log out or it times out, the session cookie is maintained, which allows for Flask-Login to work correctly, as well as the CSRF tokens.

Answered By - ghawes