flask-session icon indicating copy to clipboard operation
flask-session copied to clipboard

Published 20 hours ago verified publisher icon pallets-eco

Sessions are being saved to the datastore even if they are not permanant

Open marcuspen opened this issue 7 years ago • 2 comments

It seems that non-permanent sessions are being saved in the datastore.

For example, if SESSIONS_PERMANENT config option is set to False, Flask states that they should end when the browser is closed. However, in this plugin, the session is being saved to Redis (or whatever datastore you are using) with the default permanent session lifetime, whether the session is permanent or not. See: https://github.com/fengsp/flask-session/blob/master/flask_session/sessions.py#L166

Is this intended?

If not, I suggest that we add an if statement to check if the session is permanent before we save anything to a datastore.

We have come across an issue with this at my company, we will fork and raise a PR with our intended fix shortly...

marcuspen avatar Oct 26 '17 15:10 marcuspen

I have the same problem. It seems that adding 'session.permanent = False' before setting sessions will work.

halcyon370 avatar Dec 01 '17 05:12 halcyon370

I also have this issue.

Is the Flash_Session Extension still actively maintained?

wavesailor avatar Feb 05 '19 19:02 wavesailor

It is now been transferred to pallets and maintained. @marcuspen I know this is old but can you confirm with me if your intention was to use permanent client-side and non-permanent server-sessions in the same application? That is not previously something I had considered nor thought possible.

I have so far intended to make all permanent and non-permanent sessions save to datastore AND use the expiry of PERMANENT_SESSION_LIFETIME. This was previously inconsistently implemented by the original author and I had taken that to be the intent.

Without saving to datastore the only place you could keep session data is client side, which Flask-Session cannot do and so makes me wonder about what the use case is. A reproduction would be great.

In the PR for #212 I have also included documentation on this. However, before I merge I would like to know more

Lxstr avatar Feb 25 '24 09:02 Lxstr

Perhaps the intent was to simply prevent the empty sessions from being saved to storage, that would make sense to me given this was considered a previous bug and fixed.

Lxstr avatar Feb 25 '24 09:02 Lxstr

Closing due to lack of activity and high likelihood this is already fixed. There is a section on 0.7.0 docs relating to permanent sessions.

Lxstr avatar Mar 10 '24 12:03 Lxstr