flask-session icon indicating copy to clipboard operation
flask-session copied to clipboard

Published 20 hours ago verified publisher icon pallets-eco

Added session destruction and regeneration support

Open twolfson opened this issue 10 years ago • 7 comments

While working with flask-session, we realized we wanted to prevent session fixation attacks. These are attacks which involve a user's session id not being rotated on login nor fully erased on logout. In order to remedy that, we are adding 2 methods:

  • session_interface.destroy - Erases underlying store data and deletes user cookie (used during logout)
  • session_interface.regenerate - Generates a new session id and deletes old store data (used during login)

In this PR:

  • Added tests for destroy behavior (old behavior of setting flask.session to None or {} wasn't working since _permanent was being held)
  • Added tests for regenerate behavior
  • Added session_interface.destroy and session_interface.regenerate

Notes: It's not clear whether this should live in flask or flask-session but this was definitely the simpler solution for now. I will be opening a sibling issue on flask to get feedback.

twolfson avatar Oct 30 '15 19:10 twolfson

I am realizing that we can make the API cleaner by passing session_interface to the session constructor itself. This would allow forsession.destroy() calls which under the hood has session invoke self._interface.destroy(self).

twolfson avatar Nov 01 '15 01:11 twolfson

On the Flask thread, we concluded that it's a pretty bad idea to store anything as an attribute on session as it could get picked up by a serializer (e.g. pickle).

twolfson avatar Nov 02 '15 00:11 twolfson

:+1:

mmautner avatar Jan 27 '16 17:01 mmautner

Any updates on this? I think it's pretty important and hacked something similar together for one of my projects. (Is this project even still active?)

StephanDollberg avatar Mar 11 '16 06:03 StephanDollberg

Wanted to know if there is any update on this as well

kgritesh avatar Mar 12 '16 06:03 kgritesh

👍

jeffsuarez avatar Apr 09 '16 11:04 jeffsuarez

Isn't this is an incomplete implementation anyway, since you only modified the Redis interface?

cowbert avatar Jun 26 '17 21:06 cowbert

Session regeneration should be provided in flask 0.7.0, 0.7.0rc2 is now available with session_interface.regenerate(). It seems we don't need the destroy method as session.clear() should now result in session data being deleted as _permanent is ignored in boolean evaluation of session. Reopen a new issue if anyone believes a specific destroy function is needed.

Lxstr avatar Mar 09 '24 11:03 Lxstr