How do I create a new clean session and invalidate the current one in Flask?
Do I use make_null_session()
or open_session()
?
Flask's built-in sessions are cookie-based with hashes and timestamps for validation, so there's no such thing as invalidating them in the way that you would with a key-based database-storage-backed session.
We can clear the session storage by using the clear() method.
Default session lifetime is 31 days, user need to specify the login refresh view in case of timeout. Above line will force user to re-login every 5 minutes.
There's no HTTP header for deleting a cookie. Traditionally you just set the cookie to a dummy value with an expiration date in the past, so it immediately expires. This will set the session id cookie to an empty string that expires at unixtime 0 , which is almost certainly in the past.
I do this by calling session.clear()
.
EDIT:
After reading your comment in another answer, I see that you're trying to prevent a replay attack that might be made using a cookie that was issued in the past. I solved that problem as much as possible* with this approach:
save_session()
calls save_cookie()
, make it pass a session_expires
argument 30 minutes in the future. This causes cookies more than 30 minutes old to be considered invalid.save_session()
update a session variable every so often, to make sure the cookie and its session_expires
time get rewritten regularly. (I name this session variable '_refresh' and store the current time in it, then rewrite it only if more than a few seconds have passed since the last-stored time. This optimization avoids rewriting the cookie on every HTTP request.)Duplicating Flask code in the custom save_session()
makes this approach a bit ugly and brittle, but it is necessary in order to change the arguments passed to save_cookie()
. It would be nice if Flask made this easier, or at least implemented its own safeguard against replay attacks.
*WARNING: This approach by itself will not stop replay attacks that might happen during a session cookie's valid lifetime. This fundamental problem with cookie-based sessions is discussed in RFC 6896 and A Secure Cookie Protocol by Liu, Kovacs, Huang, Gouda.
If you have security concerns (and everyone should have) There is the answer:
This is not REALLY possible
Flask uses cookie-based sessions. When you edit or delete session, you send a REQUEST to CLIENT to remove the cookie, normal clients (browsers) will do. But if session hijacked by an attacker, the attacker's session remains valid.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With