Flask-Login

User session management for Flask — handles login, logout, and remember-me cookies without dictating authentication mechanism. Flask-Login provides: LoginManager (integrates with Flask app), @login_required decorator for protected routes, current_user proxy (accessing logged-in user from any route), load_user callback (load user from session ID), login_user()/logout_user() functions, and optional 'remember me' persistent cookies. Flask-Login stores user ID in Flask session (cookie-based); developers implement user loading from database. Works alongside Flask-SQLAlchemy for agent user models. Does NOT provide password hashing — use passlib or werkzeug.security.

Evaluated Mar 06, 2026 (0d ago) v0.6.x
Homepage ↗ Repo ↗ Developer Tools python flask authentication session login security user-management
⚙ Agent Friendliness
65
/ 100
Can an agent use this?
🔒 Security
81
/ 100
Is it safe for agents?
⚡ Reliability
86
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
88
Error Messages
82
Auth Simplicity
80
Rate Limits
95

🔒 Security

TLS Enforcement
82
Auth Strength
80
Scope Granularity
75
Dep. Hygiene
88
Secret Handling
82

SESSION_COOKIE_SECURE=True required for HTTPS production. SESSION_COOKIE_HTTPONLY=True prevents JavaScript access. CSRF protection not included — add Flask-WTF for form CSRF. Brute force protection not included — add rate limiting to login route for agent admin portals. Remember-me tokens stored in plain cookie — user DB must have token invalidation for logout-all-devices.

⚡ Reliability

Uptime/SLA
88
Version Stability
85
Breaking Changes
82
Error Recovery
88
AF Security Reliability

Best When

You're building a Flask web application with traditional session-based login (forms, cookies) for agent admin portals, CMS, or web dashboards — Flask-Login is the standard Flask auth session manager.

Avoid When

You're building an API-first service (use JWT), you need OAuth social login (use Flask-Dance), or you have multiple stateless agent service instances without shared session storage.

Use Cases

  • Protect agent dashboard routes with @login_required — unauthorized users redirected to login page; authenticated agent operators access admin interface
  • Agent operator authentication with Flask-Login + Flask-SQLAlchemy — load_user callback fetches agent operator by ID from database; login_user(operator) establishes session after password verification
  • Remember-me for agent admin portal — login_user(user, remember=True) sets persistent cookie for agent admins who don't want to log in on every visit
  • Role-based agent access control with current_user — check current_user.role == 'admin' in route to restrict agent management operations
  • API token authentication extending Flask-Login — implement custom request_loader for Bearer token authentication alongside session-based login for agent API and web interface coexistence

Not For

  • JWT token-based stateless APIs — Flask-Login is session-based (stateful); for agent REST APIs consumed by mobile/SPA, use Flask-JWT-Extended for JWT token authentication
  • OAuth2 / social login — Flask-Login doesn't handle OAuth flows; use Flask-Dance or Authlib alongside Flask-Login for social auth for agent services
  • Microservices — Flask-Login session requires sticky sessions or shared session store; agent microservices with multiple instances need Redis session store or JWT instead

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: session
OAuth: No Scopes: No

Session-based auth library. Integrates with Flask session (signed cookie). Remember-me uses separate persistent cookie. Does not implement password hashing — use werkzeug.security.generate_password_hash/check_password_hash.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Flask-Login is MIT licensed, maintained by Max Countryman. Free for all use.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • user_loader must return None for invalid IDs — @login_manager.user_loader callback returning None (user not found) automatically logs out and redirects; raising exception from user_loader causes 500 error instead of graceful logout
  • User model must implement is_authenticated, is_active, is_anonymous, get_id — Flask-Login requires these 4 UserMixin methods; use flask_login.UserMixin as base class for agent user models; missing any causes AttributeError on current_user access
  • SECRET_KEY required for session security — Flask-Login sessions use Flask's signed cookies; missing SECRET_KEY causes 'No secret key set for Flask application' error; use strong random SECRET_KEY from os.urandom(24) in agent app config
  • Remember-me cookie duration needs explicit config — REMEMBER_COOKIE_DURATION defaults to 365 days; set to shorter value (30 days) for agent admin accounts; REMEMBER_COOKIE_SECURE=True for HTTPS-only for agent production deployments
  • user_loader called on every request — user_loader runs a database query per request for @login_required routes; cache user object in Flask g or use session storage to avoid N database queries for agent pages with multiple protected resources
  • Multiple authentication methods need request_loader — @login_manager.request_loader decorator enables API token auth alongside session auth; request_loader runs first, user_loader for session; agent APIs can support both Bearer token and session cookie with dual loader setup

Alternatives

flask-jwt-extended-api authlib-api flask-security-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Flask-Login.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered