How to securely store credentials per session in Flask

Question

I have a Flask application on my local network which connects to a mail server and web service. All three use the same LDAP authentication source, and I would like to avoid requiring users to provide the same credentials each time the application connects to one of these interfaces.

What is the most secure way to hold a user's credentials for the lifetime of the session so they can be shared with the other interfaces?

One option I've found is Flask-KVSession, which stores the session variables server-side.

---

Update: In testing, I have experimented with dropping the credentials into a dict in app.config when a user logs in. It seems like it should be a bad idea, but I haven't figured out why yet. I know it creates the possibility for the credentials for an active session to disappear, but it's easy enough to see if they exist and prompt for them again if they don't. Plus, they won't be written to the filesystem like variables in server-side sessions would be.

I'd like to know if I'm missing any obvious problems with this approach.

Answer 1

I would definitely use something like Flask-KVSession to store the user's credentials in the server-side session (+1 for that - I hadn't seen that extension before). That will ensure that you are not passing the user's credentials back and forth in a cookie. I would add Flask-Login to deal with the more interesting parts of session management without having to discover all the issues yourself.

Dropping the credentials into app.config is not a good idea because app.config is not a LocalProxy and therefore is not thread-safe. You are not guaranteed that changes you make to app.config for one request will not wind up affecting other requests. (You can read more about context locals here and here).