Open hubbins opened 1 year ago
I found this PR. https://github.com/fengsp/flask-session/pull/80
I guess this explains the behavior, but seems like an unfortunate workaround. Why is this not an issue in other providers such as memcached?
Thanks again
I don't believe that PR referenced above resolved the issue where a health check endpoint is creating a new session. Sessions will always be created in redis, regardless if "permanent" or not. As the poster said, session.clear() should probably be called in something like a health check endpoint that isn't called from a browser.
It seems only permanent sessions (SESSION_PERMANENT=True) are supported for redis. Looking at the implementation:
This is the only place any values are set in redis.
When attempting to use session cookies (SESSION_PERMANENT=False), upon login this results in a state mismatch error, since the state was not written for later comparison. Session cookies work fine with memcached.
Is there a reason that session cookies are not supported for redis? It seems redis is the only implementation with this logic that checks "session.permanent" before writing a value to the respective cache.
Thank you