Constant Flask Session IDs

Question

I've a Flask application, served with Nginx+WSGI (FastCGI & Gevent) and use standard Flask sessions. I do not use the session.permanent=True or any other extra option, but simply set SECRET_KEY in the default configuration.

I do not save any (key,value) pairs in the session, and only rely on the SID = session['_id'] entry to identify a returning user. I use the following code the read the SID:

@page.route ('/')
def main (page='home', template='index.html'):

    if not request.args.get ('silent', False):
        print >> sys.stderr, "Session ID: %r" % session['_id']

I made the following observations:

1. For same IP addresses, but different browsers I get different SIDs - that's expected;
2. For different IPs & same browser I again have different SIDs - expected;
3. For same IP address with same browser I get same SID - also expected;

Now, point (3) is interesting because even if a delete the corresponding cookie the SID remains constant! To some extent even that might be understandable, but actually I was expecting the SID to change between different cookies. But the only difference I see is that

session.new is True

for the first request immediately after the deletion of the cookie. Even that is very much expected; but given these facts I face the following problems:

1. Does this mean that for different users sitting behind the same IP (with the same browser configuration) my back-end will mistake them for the same user?

2. If point (1) is not the case, the current behavior of these "sticky" sessions is actually quite pleasant, since this avoids the situation where my users might loose there data just because they deleted the corresponding cookie.

   They can still save the day, by revisiting the site from the same network with the same browser. I like that, but only if point (1) is not the case.

3. I assume point (1) will actually bite me, would the conclusion actually be to save a token in the session and hence accept the fate that the user can blow himself up, by simply deleting his cookie?

4. Or is there a way to tell Flask to give different SIDs for each fresh cookie?

Actually, this question arouse since I used a load impact service, which was simulating different users (on the same IP) but my back-end kept seeing them as a single user since the corresponding SIDs were all the same.

The application is available for tests at http://webed.blackhan.ch (which upon release will move the https://notex.ch [a browser based text editor]). Thank you for your answers.

Answer 1

It looks like you're using the Flask-Login extension. Here's the code that generates the id token:

def _create_identifier():
    base = unicode("%s|%s" % (request.remote_addr,
                              request.headers.get("User-Agent")), 'utf8', errors='replace')
    hsh = md5()
    hsh.update(base.encode("utf8"))
    return hsh.digest()

It's basically just md5(ip_address + user_agent).

Flask uses Werkzeug's secure cookies to store this identifier. Secure cookies are (as their name suggests) secure:

This module implements a cookie that is not alterable from the client because it adds a checksum the server checks for. You can use it as session replacement if all you have is a user id or something to mark a logged in user.