SW-565 Fix remember me and IPv4/IPv6 sessions (#113)

khaledsherkawi · foosel · web-flow · commit 93dfb1a9dcf7 · 2022-01-18T14:40:16.000+01:00
* Fix remember me and IPv4/IPv6 sessions
Session protection mode "strong" is apparently incompatible to the
remember me function in general and on top of that I observed issues
with at least Windows happily switching between connecting to an
instance via IPv4 and IPv6, causing changes in the reported client IP
and hence the session protection killing the session as a result.

Co-authored-by: Gina Häußge &lt;gina@octoprint.org&gt;
diff --git a/src/octoprint/server/__init__.py b/src/octoprint/server/__init__.py
@@ -438,7 +438,12 @@ def template_disabled(name, plugin):
 			events.DebugEventListener()
 
 		loginManager = LoginManager()
-		loginManager.session_protection = "strong"
+
+		# "strong" is incompatible to remember me, see maxcountryman/flask-login#156. It also causes issues with
+		# clients toggling between IPv4 and IPv6 client addresses due to names being resolved one way or the other as
+		# at least observed on a Win10 client targeting "localhost", resolved as both "127.0.0.1" and "::1"
+		loginManager.session_protection = "basic"
+
 		loginManager.user_callback = load_user
 		if not userManager.enabled:
 			loginManager.anonymous_user = users.DummyUser
