Set session ID when setting next

flask_login/login_manager.py

@@ -169,6 +169,7 @@ def unauthorized(self):
         config = current_app.config
         if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT):
             login_url = expand_login_view(login_view)
+            session['_id'] = current_app.login_manager._session_identifier_generator()
             session['next'] = make_next_param(login_url, request.url)
             redirect_url = make_login_url(login_view)
         else:
@@ -281,6 +282,7 @@ def needs_refresh(self):
         config = current_app.config
         if config.get('USE_SESSION_FOR_NEXT', USE_SESSION_FOR_NEXT):
             login_url = expand_login_view(self.refresh_view)
+            session['_id'] = current_app.login_manager._session_identifier_generator()
             session['next'] = make_next_param(login_url, request.url)
             redirect_url = make_login_url(self.refresh_view)
         else:

test_login.py

@@ -518,6 +518,25 @@ def login():
                              'http://localhost/login')
             self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret')
 
+    def test_unauthorized_with_next_in_strong_session_where_current_user_is_called(self):
+        self.login_manager.login_view = 'login'
+        self.app.config['SESSION_PROTECTION'] = 'strong'
+        self.app.config['USE_SESSION_FOR_NEXT'] = True
+
+        @self.app.route('/login')
+        def login():
+            if(current_user.is_authenticated):
+                # Or anything that touches current_user
+                pass
+            return session.pop('next', '')
+
+        with self.app.test_client() as c:
+            result = c.get('/secret')
+            self.assertEqual(result.status_code, 302)
+            self.assertEqual(result.location,
+                             'http://localhost/login')
+            self.assertEqual(c.get('/login').data.decode('utf-8'), '/secret')
+
     def test_unauthorized_uses_blueprint_login_view(self):
         with self.app.app_context():