.. currentmodule:: flaskext.login
-Flask-Login provides user session management for Flask, allowing you to log
-your users in and out easily.
+Flask-Login provides user session management for Flask. It handles the common
+tasks of logging in, logging out, and remembering your users' sessions over
+extended periods of time.
- Let you restrict views to logged-in (or logged-out) users.
- Handle the normally-tricky "remember me" functionality.
-- Possibly integrate with Flask-Principal later on.
+- Help protect your users' sessions from being stolen by cookie thieves.
+- Possibly integrate with Flask-Principal or other authorization extensions
"non-fresh." `login_required` does not differentiate between freshness, which
is fine for most pages. However, sensitive actions like changing one's
personal information should require a fresh login. (Actions like changing
-one's password should always require a password re-entry
+one's password should always require a password re-entry .)
`fresh_login_required`, in addition to verifying that the user is logged
in, will also ensure that their login is fresh. If not, it will send them to
+To mark a session as fresh again, call the `confirm_login` function.
thieves, the session cookie is still vulnerable. Flask-Login includes session
protection to help prevent your users' sessions from being stolen.
-You can configure
Session Protection on the `LoginManager`, and in the app's
+You can configure ession rotection on the `LoginManager`, and in the app's
configuration. If it is enabled, it can operate in either `basic` or `strong`
mode. To set it on the `LoginManager`, set the
`~LoginManager.session_protection` attribute to ``"basic"`` or ``"strong"``::
app's configuration by setting the `SESSION_PROTECTION` setting to `None`,
``"basic"``, or ``"strong"``.
Session Protection is active, each request, it generates an identifier
+When ession rotection is active, each request, it generates an identifier
for the user's computer (basically, the MD5 hash of the IP address and user
agent). If the session does not have an associated identifier, the one
generated will be stored. If it has an identifier, and it matches the one