Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Invalidate an old session in Flask

Tags:

python

flask

How do I create a new clean session and invalidate the current one in Flask?

Do I use make_null_session() or open_session()?

like image 299
Tyilo Avatar asked Dec 06 '12 00:12

Tyilo


People also ask

How do you invalidate a Flask session?

Flask's built-in sessions are cookie-based with hashes and timestamps for validation, so there's no such thing as invalidating them in the way that you would with a key-based database-storage-backed session.

How do you clear a session in python?

We can clear the session storage by using the clear() method.

How long does a session last in Flask?

Default session lifetime is 31 days, user need to specify the login refresh view in case of timeout. Above line will force user to re-login every 5 minutes.

How do you remove cookie flasks?

There's no HTTP header for deleting a cookie. Traditionally you just set the cookie to a dummy value with an expiration date in the past, so it immediately expires. This will set the session id cookie to an empty string that expires at unixtime 0 , which is almost certainly in the past.


2 Answers

I do this by calling session.clear().

EDIT:

After reading your comment in another answer, I see that you're trying to prevent a replay attack that might be made using a cookie that was issued in the past. I solved that problem as much as possible* with this approach:

  • Override SecureCookieSessionInterface.save_session(), copying the code from the overridden version rather than calling it.
  • When the overridden version of save_session() calls save_cookie(), make it pass a session_expires argument 30 minutes in the future. This causes cookies more than 30 minutes old to be considered invalid.
  • Make the overridden version of save_session() update a session variable every so often, to make sure the cookie and its session_expires time get rewritten regularly. (I name this session variable '_refresh' and store the current time in it, then rewrite it only if more than a few seconds have passed since the last-stored time. This optimization avoids rewriting the cookie on every HTTP request.)

Duplicating Flask code in the custom save_session() makes this approach a bit ugly and brittle, but it is necessary in order to change the arguments passed to save_cookie(). It would be nice if Flask made this easier, or at least implemented its own safeguard against replay attacks.

*WARNING: This approach by itself will not stop replay attacks that might happen during a session cookie's valid lifetime. This fundamental problem with cookie-based sessions is discussed in RFC 6896 and A Secure Cookie Protocol by Liu, Kovacs, Huang, Gouda.

like image 71
ʇsәɹoɈ Avatar answered Sep 21 '22 05:09

ʇsәɹoɈ


If you have security concerns (and everyone should have) There is the answer:

This is not REALLY possible

Flask uses cookie-based sessions. When you edit or delete session, you send a REQUEST to CLIENT to remove the cookie, normal clients (browsers) will do. But if session hijacked by an attacker, the attacker's session remains valid.

like image 21
Taha Jahangir Avatar answered Sep 19 '22 05:09

Taha Jahangir