How to fix itsdangerous.BadTimeSignature Signature Error

Question

Im working on a project(not any co. project, academic) I am having trouble with using itsdangerous and login manager from flask-login.

I created a signup form. entered my name email and password and then when I restart the server and I get this:

```
itsdangerous.BadTimeSignature
BadTimeSignature: Signature 'GAMjfzQpbKlPraWesdT49W40pA8' does not match
```

The flow of error is like this:

return render_template('index.html')
  ctx.app.update_template_context(context)
    context.update(func())
 return dict(current_user=_get_user())
  current_app.login_manager._load_user()
    return self._load_from_cookie(request.cookies[cookie_name])
 user = self.token_callback(cookie)
line 93, in load_token
    data = login_serializer.loads(token, max_age=max_age)
.unsign(s, max_age, return_timestamp=True)
in unsign
    date_signed=timestamp)
BadTimeSignature: Signature 'GAMjfzQpbKlPraWesdT49W40pA8' does not match

The source of problem is here in the main app running file:

line 93, in load_token
    data = login_serializer.loads(token, max_age=max_age)

@login_manager.token_loader
def load_token(token):
    max_age = app.config["REMEMBER_COOKIE_DURATION"].total_seconds()

    #decrypt token
    data = login_serializer.loads(token, max_age=max_age)

    user = find-and-get-user-object(data)
    if user:
        if data[2] == users password: return user object
    return None

app.config["REMEMBER_COOKIE_DURATION"] is set as

app.config["REMEMBER_COOKIE_DURATION"] = some timedelta days

where time delta is imported from DateTime.

The model file has the user model defined in sql alchemy Model:

Base=declarative_base()

with the class method

get_auth_token(self):
        return login_serializer.dumps([str(self.id_), self.email, self.pwd])

The login serializer is based on:

from itsdangerous import URLSafeTimedSerializer
app.secret_key = gen_random_key()
login_serializer = URLSafeTimedSerializer(app.secret_key)

Without the login Manager the submit route was working.

I want to know how is load_token() function line:

    data = login_serializer.loads(token, max_age=max_age)

affecting the token generated from the User model and why should it check for a match at a route, say '/' or any route where any random can visit.

Do I need to set permission limits so as to set login manager to not check every route?

The alternative token is being generated as I understand to more securely bind session cookies to server side cookies as server side cookie information will be compared which is as can be seen based on the get_auth_token, which takes some User attributes and gives out a random secure string for a token.

Answer 1

You are creating a new secret each time here:

from itsdangerous import URLSafeTimedSerializer
app.secret_key = gen_random_key()
login_serializer = URLSafeTimedSerializer(app.secret_key)

Don't do that. Create one secret for your application, and keep using this throughout. Your keys are signed with this server-side secret and then when the cookie is sent back from the browser, used again to validate that the contents haven't been changed.

If you change the secret each time, the previously generated cookies are always going to be invalid as they won't match the new secret.

Store the secret with your application configuration.