diff --git a/flask_login/login_manager.py b/flask_login/login_manager.py index 2e6979f7..8ba7a6e0 100644 --- a/flask_login/login_manager.py +++ b/flask_login/login_manager.py @@ -169,7 +169,7 @@ def unauthorized(self): config = current_app.config if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT): login_url = expand_login_view(login_view) - session['_id'] = current_app.login_manager._session_identifier_generator() + session['_id'] = self._session_identifier_generator() session['next'] = make_next_param(login_url, request.url) redirect_url = make_login_url(login_view) else: @@ -282,7 +282,7 @@ def needs_refresh(self): config = current_app.config if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT): login_url = expand_login_view(self.refresh_view) - session['_id'] = current_app.login_manager._session_identifier_generator() + session['_id'] = self._session_identifier_generator() session['next'] = make_next_param(login_url, request.url) redirect_url = make_login_url(self.refresh_view) else: diff --git a/flask_login/utils.py b/flask_login/utils.py index 904fb005..09b70157 100644 --- a/flask_login/utils.py +++ b/flask_login/utils.py @@ -195,6 +195,9 @@ def logout_user(): if '_fresh' in session: session.pop('_fresh') + if '_id' in session: + session.pop('_id') + cookie_name = current_app.config.get('REMEMBER_COOKIE_NAME', COOKIE_NAME) if cookie_name in request.cookies: session['remember'] = 'clear' diff --git a/test_login.py b/test_login.py index 8cfda8eb..43a54d29 100644 --- a/test_login.py +++ b/test_login.py @@ -518,7 +518,7 @@ def login(): 'http://localhost/login') self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret') - def test_unauthorized_with_next_in_strong_session_where_current_user_is_called(self): + def test_unauthorized_with_next_in_strong_session(self): self.login_manager.login_view = 'login' self.app.config['SESSION_PROTECTION'] = 'strong' self.app.config['USE_SESSION_FOR_NEXT'] = True