flask-session icon indicating copy to clipboard operation
flask-session copied to clipboard

Published 20 hours ago verified publisher icon pallets-eco

API components to defend against session management vulnerabilities.

Open lanmaster53 opened this issue 8 years ago • 4 comments

Unless I'm missing something, I don't see where this module exposes the necessary APIs to prevent vulnerabilities such as Session Fixation. In a scenario where you need a pre-authenticated session, how would one create a new session, move the contents of the old session over to the new session, remove the old session, and update the cookie to reflect the token for the new session? I realize I can use session.clear() to remove the old session, but that is only 1/4 of the problem. Am I missing something? Or is that logic that has yet to be written?

lanmaster53 avatar May 20 '16 02:05 lanmaster53

Maybe you could try to use a signer? Just set the SESSION_USE_SIGNER to True.

fengsp avatar Jul 21 '16 10:07 fengsp

This may be helpful

https://github.com/fengsp/flask-session/pull/27

jtl999 avatar Sep 27 '16 20:09 jtl999

This issue was moved to mcrowson/flask-session#5

mcrowson avatar Feb 12 '17 00:02 mcrowson

Setting SESSION_USE_SIGNER to True may defend against some attacks, but it doesn't defend against session fixation attacks. As an attacker, I can do my own request to the app to have a valid session identifier created, signed and sent to me as a cookie. I can then extract that session identifier and use it in my attack.

irgeek avatar Jun 18 '18 00:06 irgeek

Closed in favor of #27

Lxstr avatar Feb 25 '24 12:02 Lxstr