Hello @marcoV,
Thanks for bringing this up.
Using any of those methods, or flask_login by itself will not keep from people doing things to share the logins.
For example, someone could always forward the email that you are sending for the login or do other things. The default session cookie could also be shared and bypass the info. Thus why making sure your cookies are secure is a big thing.
Honestly, if you are wanting to have a subscription based product and using logins and you are concerned with people sharing the app, this is where your legal team needs to step in to make a:
- privacy policy
- end user license agreement
- need to make sure there is a cookie consent
On top of this, because the user has accepted these things, and they use the app in a manner that is not along the agreement, then you can disable their account.
You will also need to be additionally monitoring their account for any activity outside of the norm. Locations aren’t in the same area, etc.
This is all if you mind people sharing their login.
You could also have something in there which limits the sessions to something like 3 to 5. Microsoft uses this for its licenses as well, so might be a good starting point. This would allow people to log in on their phone and computer and one other device.
You would also need a mechanism that checks whether their session should be logged out. 