diff --git a/flask_login/login_manager.py b/flask_login/login_manager.py index d77fbd81..2e6979f7 100644 --- a/flask_login/login_manager.py +++ b/flask_login/login_manager.py @@ -169,6 +169,7 @@ def unauthorized(self): config = current_app.config if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT): login_url = expand_login_view(login_view) + session['_id'] = current_app.login_manager._session_identifier_generator() session['next'] = make_next_param(login_url, request.url) redirect_url = make_login_url(login_view) else: @@ -281,6 +282,7 @@ def needs_refresh(self): config = current_app.config if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT): login_url = expand_login_view(self.refresh_view) + session['_id'] = current_app.login_manager._session_identifier_generator() session['next'] = make_next_param(login_url, request.url) redirect_url = make_login_url(self.refresh_view) else: diff --git a/test_login.py b/test_login.py index c34089b5..8cfda8eb 100644 --- a/test_login.py +++ b/test_login.py @@ -518,6 +518,25 @@ def login(): 'http://localhost/login') self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret') + def test_unauthorized_with_next_in_strong_session_where_current_user_is_called(self): + self.login_manager.login_view = 'login' + self.app.config['SESSION_PROTECTION'] = 'strong' + self.app.config['USE_SESSION_FOR_NEXT'] = True + + @self.app.route('/login') + def login(): + if(current_user.is_authenticated): + # Or anything that touches current_user + pass + return session.pop('next', '') + + with self.app.test_client() as c: + result = c.get('/secret') + self.assertEqual(result.status_code, 302) + self.assertEqual(result.location, + 'http://localhost/login') + self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret') + def test_unauthorized_uses_blueprint_login_view(self): with self.app.app_context():