I do this by calling session.clear().

我通过调用session.clear().

EDIT:

编辑：

After reading your comment in another answer, I see that you're trying to prevent a replay attack that might be made using a cookie that was issued in the past. I solved that problem as much as possible* with this approach:

在另一个答案中阅读您的评论后，我发现您正在尝试防止可能使用过去发布的 cookie 进行的重放攻击。我用这种方法尽可能地解决了这个问题*：

• Override SecureCookieSessionInterface.save_session(), copying the code from the overridden version rather than calling it.
• When the overridden version of save_session()calls save_cookie(), make it pass a session_expiresargument 30 minutes in the future. This causes cookies more than 30 minutes old to be considered invalid.
• Make the overridden version of save_session()update a session variable every so often, to make sure the cookie and its session_expirestime get rewritten regularly. (I name this session variable '_refresh' and store the current time in it, then rewrite it only if more than a few seconds have passed since the last-stored time. This optimization avoids rewriting the cookie on every HTTP request.)

• 覆盖 SecureCookieSessionInterface.save_session()，从覆盖的版本复制代码而不是调用它。
• 当被覆盖的版本save_session()调用时save_cookie()，让它session_expires在未来 30 分钟内传递一个参数。这会导致超过 30 分钟的 cookie 被视为无效。
• save_session()每session_expires隔一段时间更新一次会话变量的覆盖版本，以确保定期重写cookie 及其时间。（我将此会话变量命名为 '_refresh' 并将当前时间存储在其中，然后仅在距离上次存储时间超过几秒钟时才重写它。这种优化避免了在每个 HTTP 请求上重写 cookie。）

Duplicating Flask code in the custom save_session()makes this approach a bit ugly and brittle, but it is necessary in order to change the arguments passed to save_cookie(). It would be nice if Flask made this easier, or at least implemented its own safeguard against replay attacks.

在自定义中复制 Flask 代码save_session()使这种方法有点丑陋和脆弱，但为了更改传递给save_cookie(). 如果 Flask 使这更容易，或者至少实现自己的防御重放攻击，那就太好了。

*WARNING: This approach by itself will not stop replay attacks that might happen during a session cookie's valid lifetime. This fundamental problem with cookie-based sessions is discussed in RFC 6896and A Secure Cookie Protocol by Liu, Kovacs, Huang, Gouda.

*警告：这种方法本身不会阻止在会话 cookie 的有效生命周期内可能发生的重放攻击。这个基于 cookie 会话的基本问题在Liu、Kovacs、Huang、Gouda 的RFC 6896和A Secure Cookie 协议中进行了讨论。

You can add an after_requestcallback to remove the session cookie if a particular flag is set:

after_request如果设置了特定标志，您可以添加回调以删除会话 cookie：

@app.after_request
def remove_if_invalid(response):
    if "__invalidate__" in session:
        response.delete_cookie(app.session_cookie_name)
    return response

Then you simply set that session key whenever you want to invalidate the session:

然后，只要您想使会话无效，只需设置该会话密钥：

@app.route("/logout")
def logout():
    session["__invalidate__"] = True
    return redirect(url_for("index"))

See also: http://werkzeug.pocoo.org/docs/wrappers/#werkzeug.wrappers.BaseResponse.delete_cookie

另见：http: //werkzeug.pocoo.org/docs/wrappers/#werkzeug.wrappers.BaseResponse.delete_cookie

If you use default flask sessions and set the app.permanent_session_lifetime, then the session will not work if a user tries to replay the same session as long as the session has expired.If you look at the source code for open_session, there is line:

如果您使用默认的flask 会话并设置app.permanent_session_lifetime，那么只要会话已过期，如果用户尝试重放同一个会话，会话将无法工作。如果您查看open_session 的源代码，有一行：

max_age = total_seconds(app.permanent_session_lifetime)
try:            
    data = s.loads(val, max_age=max_age)
    return self.session_class(data)
    except BadSignature:
        return self.session_class()

If you have security concerns (and everyone should have) There is the answer:

如果您有安全问题（每个人都应该有），答案是：

This is not REALLY possible

这是不可能的

Flask uses cookie-based sessions. When you edit or delete session, you send a REQUEST to CLIENT to remove the cookie, normal clients (browsers) will do. But if session hiHymaned by an attacker, the attacker's session remains valid.

Flask 使用基于 cookie 的会话。当您编辑或删除会话时，您向客户端发送请求以删除 cookie，普通客户端（浏览器）会这样做。但是如果会话被攻击者劫持，攻击者的会话仍然有效。