Why does setting remember=False still keep me logged in?

Question

Using Flask-Login, I can log users in and out, as well as sign up new users. If I log in then navigate away to some other site, and then return to my site, I'm still logged in. Shouldn't login_user(user, remember=False) prevent this? Am I misunderstanding how this works?

In views.py I have, among other code:

from flask.ext.login import login_user, logout_user, current_user, login_required

@app.route('/signup', methods=['GET', 'POST'])
def signup():
    form = SignupForm()
    if form.validate_on_submit():
        user = User.query.filter_by(email = form.email.data.lower()).first()
        if user:
            flash("Email already exists!")
            return redirect(url_for('signup'))
        elif form.password.data != form.password2.data:
            flash("Passwords do not match.")
            return redirect(url_for('signup'))
        else:
            newuser = User(email=form.email.data, nickname=form.username.data)
            newuser.pwdhash = generate_password_hash(form.password.data)
            db.session.add(newuser)
            db.session.commit()
            login_user(newuser, remember=False)
            flash("Thank you for registering")
                return redirect(url_for('index'))
    return render_template('signup.html',  form=form)

@app.route('/login', methods=['GET', 'POST'])
def login():
    form = SigninForm()
    if form.validate_on_submit():
        user = User.query.filter_by(email = form.email.data.lower()).first()
        if user and check_password_hash(user.pwdhash, form.password.data):
            login_user(user,  remember=False)
            return redirect(url_for('index'))
        else:
            flash('huh')
            return redirect(url_for('login'))
    else:
        return render_template('login.html', form=form)

Answer 1

Flask-Login's remember flag sets a special cookie in addition to Flask's session cookie. This remember cookie persists across browser restarts, by default for 30 days, but is only created if remember is true.

Flask's session cookie is present even if remember is false, so you'll stay logged in for the duration of a single browser session. Flask's session cookie can be made to persist also, but that is outside the scope of Flask-Login.

The behavior you are observing is completely normal. There is no way to automatically log someone out of the current session when they leave your site.

From the docs, emphasis mine:

A cookie will be saved on the user’s computer, and then Flask-Login will automatically restore the user ID from that cookie if it is not in the session.