Redis session cookies not supported?

[hubbins]

It seems only permanent sessions (SESSION_PERMANENT=True) are supported for redis. Looking at the implementation:

       if session.permanent:
            value = self.serializer.dumps(dict(session))
            self.redis.setex(
                name=self.key_prefix + session.sid,
                value=value,
                time=total_seconds(app.permanent_session_lifetime),
            )

This is the only place any values are set in redis.

When attempting to use session cookies (SESSION_PERMANENT=False), upon login this results in a state mismatch error, since the state was not written for later comparison. Session cookies work fine with memcached.

Is there a reason that session cookies are not supported for redis? It seems redis is the only implementation with this logic that checks "session.permanent" before writing a value to the respective cache.

Thank you

[hubbins]

I found this PR. https://github.com/fengsp/flask-session/pull/80

I guess this explains the behavior, but seems like an unfortunate workaround. Why is this not an issue in other providers such as memcached?

Thanks again

[hubbins]

I don't believe that PR referenced above resolved the issue where a health check endpoint is creating a new session. Sessions will always be created in redis, regardless if "permanent" or not. As the poster said, session.clear() should probably be called in something like a health check endpoint that isn't called from a browser.