search

pallets-eco / flask-session

Server side session extension for Flask
https://flask-session.readthedocs.io
BSD 3-Clause "New" or "Revised" License
490 stars 236 forks source link

New session data stored after each request #181

Closed bmakan closed 5 months ago

bmakan commented 1 year ago

This was already mentioned in https://github.com/pallets-eco/flask-session/issues/19.

I use the flask-session to store authentication data of the users. This is usually done once - when the user logs in for the first time. But whenever I refresh the page, I see a few new session entities stored in redis.

Here's an example from redis-cli:

127.0.0.1:6379> keys *
1) "session:99eb3546-85ba-4891-8e05-249d9a474255"
2) "session:39f4e921-5b6e-48a7-a79b-96e9dd5be0c4"
3) "session:fe8977c2-34a9-4945-acc0-6c6821944b9f"
4) "session:7c208eb7-9294-4e25-b112-43c536e2ebae"
5) "session:1af7472c-98cc-42a7-b777-6c32f96b7f25"

The authentication session is fe8977c2-34a9-4945-acc0-6c6821944b9f:

127.0.0.1:6379> get session:fe8977c2-34a9-4945-acc0-6c6821944b9f
"\x80\x04\x95[\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\x0finitial_request\x94\x8c2https://localhost:44300/\x94\x8c\x03uid\x94\x8c\x06bmakan\x94u."

But when I check any of the random entry, it looks to be empty:

127.0.0.1:6379> get session:7c208eb7-9294-4e25-b112-43c536e2ebae
"\x80\x04\x95\x12\x00\x00\x00\x00\x00\x00\x00}\x94\x8c\n_permanent\x94\x88s."

I was able to fix this by setting:

app.config['SESSION_PERMANENT'] = False

The default value is True though and this means everyone is having their servers flooded with empty sessions needlessly.

Also, with the setting set to False, I expected I would have to explicitly say when I want to store the session, e.g. session.permanent = True, but this wasn't the case. The authentication session was stored properly anyway.

Is this behavior intended? What's the use case for it?

bmakan commented 1 year ago

This is from a server where I have several session keys:

Optimal Case ```bash root@babmakan1:~# ps aux | grep redis root 2103055 0.0 0.0 19696 3220 ? Ssl Jun14 24:41 redis-server *:6379 redis 2386596 0.1 0.0 226464 10632 ? Ssl 13:58 0:04 /usr/bin/redis-server 127.0.0.1:6379 root 2397456 0.0 0.0 6436 728 pts/7 S+ 14:44 0:00 grep --color=auto redis root@babmakan1:~# pmap 2103055 2103055: redis-server *:6379 0000555dcb660000 384K r---- redis-server 0000555dcb6c0000 788K r-x-- redis-server 0000555dcb785000 420K r---- redis-server 0000555dcb7ee000 12K r---- redis-server 0000555dcb7f1000 360K rw--- redis-server 0000555dcb84b000 128K rw--- [ anon ] 0000555dcd7b6000 4K ----- [ anon ] 0000555dcd7b7000 16K rw--- [ anon ] 0000555dcd7bb000 16K rw--- [ anon ] 00007efcce7d8000 28K rw--- [ anon ] 00007efcce7ed000 64K rw--- [ anon ] 00007efcce802000 8K rw--- [ anon ] 00007efcce807000 8K rw--- [ anon ] 00007efcce809000 8K ----- [ anon ] 00007efcce80b000 4100K rw--- [ anon ] 00007efccec0c000 8K ----- [ anon ] 00007efccec0e000 4100K rw--- [ anon ] 00007efccf00f000 8K ----- [ anon ] 00007efccf011000 5068K rw--- [ anon ] 00007efccf504000 84K rw--- [ anon ] 00007efccf519000 28K rw--- [ anon ] 00007efccf520000 72K rw--- [ anon ] 00007efccf532000 4K rw--- [ anon ] 00007efccf533000 140K rw--- [ anon ] 00007efccf556000 468K r---- libcrypto.so.1.1 00007efccf5cb000 1372K r-x-- libcrypto.so.1.1 00007efccf722000 532K r---- libcrypto.so.1.1 00007efccf7a7000 172K r---- libcrypto.so.1.1 00007efccf7d2000 8K rw--- libcrypto.so.1.1 00007efccf7d4000 16K rw--- [ anon ] 00007efccf7d8000 112K r---- libssl.so.1.1 00007efccf7f4000 256K r-x-- libssl.so.1.1 00007efccf834000 96K r---- libssl.so.1.1 00007efccf84c000 36K r---- libssl.so.1.1 00007efccf855000 16K rw--- libssl.so.1.1 00007efccf859000 84K r---- ld-musl-x86_64.so.1 00007efccf86e000 288K r-x-- ld-musl-x86_64.so.1 00007efccf8b6000 216K r---- ld-musl-x86_64.so.1 00007efccf8ec000 4K r---- ld-musl-x86_64.so.1 00007efccf8ed000 4K rw--- ld-musl-x86_64.so.1 00007efccf8ee000 12K rw--- [ anon ] 00007ffd4b91f000 132K rw--- [ stack ] 00007ffd4b9b4000 12K r---- [ anon ] 00007ffd4b9b7000 4K r-x-- [ anon ] ffffffffff600000 4K --x-- [ anon ] total 19700K ```

And this is from a server which has 1.2mil session objects:

Production Server ```bash root@4cd51b73d2f5 /$ ps aux | grep redis root 13 0.1 1.0 523976 222236 ? Ssl Jun29 12:26 redis-server *:6379 root 20571 0.0 0.0 3452 732 pts/1 S+ 12:48 0:00 grep --color=auto redis root@4cd51b73d2f5 /opt/regressdb$ pmap 13 13: redis-server *:6379 000055ef8c911000 188K r---- redis-check-rdb 000055ef8c940000 904K r-x-- redis-check-rdb 000055ef8ca22000 304K r---- redis-check-rdb 000055ef8ca6f000 4K r---- redis-check-rdb 000055ef8ca70000 40K rw--- redis-check-rdb 000055ef8ca7a000 116K rw--- [ anon ] 00007f0470a00000 239616K rw--- [ anon ] 00007f047f580000 217600K rw--- [ anon ] 00007f048cb7c000 2560K rw--- [ anon ] 00007f048cdfc000 4K ----- [ anon ] 00007f048cdfd000 8192K rw--- [ anon ] 00007f048d5fd000 4K ----- [ anon ] 00007f048d5fe000 8192K rw--- [ anon ] 00007f048ddfe000 4K ----- [ anon ] 00007f048ddff000 8192K rw--- [ anon ] 00007f048e5ff000 4K ----- [ anon ] 00007f048e600000 8192K rw--- [ anon ] 00007f048ee00000 8192K rw--- [ anon ] 00007f048f7e0000 60K r---- libgcrypt.so.20.3.4 00007f048f7ef000 920K r-x-- libgcrypt.so.20.3.4 00007f048f8d5000 248K r---- libgcrypt.so.20.3.4 00007f048f913000 4K ----- libgcrypt.so.20.3.4 00007f048f914000 12K r---- libgcrypt.so.20.3.4 00007f048f917000 24K rw--- libgcrypt.so.20.3.4 00007f048f91d000 4K rw--- [ anon ] 00007f048f91e000 40K r---- libzstd.so.1.4.8 00007f048f928000 712K r-x-- libzstd.so.1.4.8 00007f048f9da000 68K r---- libzstd.so.1.4.8 00007f048f9eb000 4K r---- libzstd.so.1.4.8 00007f048f9ec000 4K rw--- libzstd.so.1.4.8 00007f048f9ed000 616K r---- libstdc++.so.6.0.30 00007f048fa87000 1088K r-x-- libstdc++.so.6.0.30 00007f048fb97000 444K r---- libstdc++.so.6.0.30 00007f048fc06000 44K r---- libstdc++.so.6.0.30 00007f048fc11000 12K rw--- libstdc++.so.6.0.30 00007f048fc14000 12K rw--- [ anon ] 00007f048fc17000 160K r---- libc.so.6 00007f048fc3f000 1620K r-x-- libc.so.6 00007f048fdd4000 352K r---- libc.so.6 00007f048fe2c000 16K r---- libc.so.6 00007f048fe30000 8K rw--- libc.so.6 00007f048fe32000 52K rw--- [ anon ] 00007f048fe3f000 712K r---- libcrypto.so.3 00007f048fef1000 2424K r-x-- libcrypto.so.3 00007f049014f000 840K r---- libcrypto.so.3 00007f0490221000 364K r---- libcrypto.so.3 00007f049027c000 12K rw--- libcrypto.so.3 00007f049027f000 12K rw--- [ anon ] 00007f0490282000 120K r---- libssl.so.3 00007f04902a0000 364K r-x-- libssl.so.3 00007f04902fb000 116K r---- libssl.so.3 00007f0490318000 40K r---- libssl.so.3 00007f0490322000 16K rw--- libssl.so.3 00007f0490326000 24K r---- libjemalloc.so.2 00007f049032c000 628K r-x-- libjemalloc.so.2 00007f04903c9000 52K r---- libjemalloc.so.2 00007f04903d6000 4K ----- libjemalloc.so.2 00007f04903d7000 20K r---- libjemalloc.so.2 00007f04903dc000 4K rw--- libjemalloc.so.2 00007f04903dd000 2188K rw--- [ anon ] 00007f0490600000 8K r-x-- liblua5.1-bitop.so.0.0.0 00007f0490602000 2044K ----- liblua5.1-bitop.so.0.0.0 00007f0490801000 4K r---- liblua5.1-bitop.so.0.0.0 00007f0490802000 4K rw--- liblua5.1-bitop.so.0.0.0 00007f0490819000 32K rw--- [ anon ] 00007f0490821000 16K r---- libgpg-error.so.0.32.1 00007f0490825000 88K r-x-- libgpg-error.so.0.32.1 00007f049083b000 40K r---- libgpg-error.so.0.32.1 00007f0490845000 4K r---- libgpg-error.so.0.32.1 00007f0490846000 4K rw--- libgpg-error.so.0.32.1 00007f0490847000 12K r---- libcap.so.2.44 00007f049084a000 16K r-x-- libcap.so.2.44 00007f049084e000 8K r---- libcap.so.2.44 00007f0490850000 4K r---- libcap.so.2.44 00007f0490851000 4K rw--- libcap.so.2.44 00007f0490852000 76K r---- libsystemd.so.0.32.0 00007f0490865000 508K r-x-- libsystemd.so.0.32.0 00007f04908e4000 172K r---- libsystemd.so.0.32.0 00007f049090f000 4K ----- libsystemd.so.0.32.0 00007f0490910000 28K r---- libsystemd.so.0.32.0 00007f0490917000 4K rw--- libsystemd.so.0.32.0 00007f0490918000 4K rw--- [ anon ] 00007f0490919000 56K r---- libm.so.6 00007f0490927000 496K r-x-- libm.so.6 00007f04909a3000 364K r---- libm.so.6 00007f04909fe000 4K r---- libm.so.6 00007f04909ff000 4K rw--- libm.so.6 00007f0490a00000 24K r-x-- liblua5.1-cjson.so.0.0.0 00007f0490a06000 2048K ----- liblua5.1-cjson.so.0.0.0 00007f0490c06000 4K r---- liblua5.1-cjson.so.0.0.0 00007f0490c07000 4K rw--- liblua5.1-cjson.so.0.0.0 00007f0490c09000 8K rw--- [ anon ] 00007f0490c0b000 8K r---- liblz4.so.1.9.3 00007f0490c0d000 100K r-x-- liblz4.so.1.9.3 00007f0490c26000 8K r---- liblz4.so.1.9.3 00007f0490c28000 4K ----- liblz4.so.1.9.3 00007f0490c29000 4K r---- liblz4.so.1.9.3 00007f0490c2a000 4K rw--- liblz4.so.1.9.3 00007f0490c2b000 12K r---- liblzma.so.5.2.5 00007f0490c2e000 108K r-x-- liblzma.so.5.2.5 00007f0490c49000 44K r---- liblzma.so.5.2.5 00007f0490c54000 4K r---- liblzma.so.5.2.5 00007f0490c55000 4K rw--- liblzma.so.5.2.5 00007f0490c56000 12K r---- libgcc_s.so.1 00007f0490c59000 92K r-x-- libgcc_s.so.1 00007f0490c70000 16K r---- libgcc_s.so.1 00007f0490c74000 4K r---- libgcc_s.so.1 00007f0490c75000 4K rw--- libgcc_s.so.1 00007f0490c76000 8K rw--- [ anon ] 00007f0490c78000 4K r---- libdl.so.2 00007f0490c79000 4K r-x-- libdl.so.2 00007f0490c7a000 4K r---- libdl.so.2 00007f0490c7b000 4K r---- libdl.so.2 00007f0490c7c000 4K rw--- libdl.so.2 00007f0490c7d000 8K rw--- [ anon ] 00007f0490c7f000 28K r---- liblua5.1.so.0.0.0 00007f0490c86000 116K r-x-- liblua5.1.so.0.0.0 00007f0490ca3000 40K r---- liblua5.1.so.0.0.0 00007f0490cad000 8K r---- liblua5.1.so.0.0.0 00007f0490caf000 4K rw--- liblua5.1.so.0.0.0 00007f0490cb0000 4K r---- liblzf.so.1.5 00007f0490cb1000 8K r-x-- liblzf.so.1.5 00007f0490cb3000 4K r---- liblzf.so.1.5 00007f0490cb4000 4K r---- liblzf.so.1.5 00007f0490cb5000 4K rw--- liblzf.so.1.5 00007f0490cb6000 8K r---- libatomic.so.1.2.0 00007f0490cb8000 12K r-x-- libatomic.so.1.2.0 00007f0490cbb000 8K r---- libatomic.so.1.2.0 00007f0490cbd000 4K r---- libatomic.so.1.2.0 00007f0490cbe000 4K rw--- libatomic.so.1.2.0 00007f0490cbf000 4K rw--- [ anon ] 00007f0490cc4000 8K rw--- [ anon ] 00007f0490cc6000 8K r---- ld-linux-x86-64.so.2 00007f0490cc8000 168K r-x-- ld-linux-x86-64.so.2 00007f0490cf2000 44K r---- ld-linux-x86-64.so.2 00007f0490cfe000 8K r---- ld-linux-x86-64.so.2 00007f0490d00000 8K rw--- ld-linux-x86-64.so.2 00007fff9e26a000 132K rw--- [ stack ] 00007fff9e32e000 8K r-x-- [ anon ] ffffffffff600000 4K r-x-- [ anon ] total 523980K ```

500+MB of nothing.

0x1618 commented 11 months ago

try setting SESSION_COOKIE_SECURE to False

you can set it back when you'll have https

shinxi commented 10 months ago

Met the same issue, SESSION_PERMANENT=False works for me, while SESSION_COOKIE_SECURE=False doesn't work.

idoshr commented 10 months ago

Maybe it is related to Samesite issue Try to change the SESSION_COOKIE_SAMESITE And SESSION_COOKIE_SECURE

Lxstr commented 6 months ago

@bmakan I've added some changed in the development branch, which I believe may have solved the issues. Are you able to install locally to test? Thanks

bmakan commented 6 months ago

@bmakan I've added some changed in the development branch, which I believe may have solved the issues. Are you able to install locally to test? Thanks

pip install git+https://github.com/pallets-eco/flask-session.git@development
# app.config['SESSION_PERMANENT'] = False

After several page refreshes and various other requests going through, I still only see one session stored in redis which corresponds to the one I see in the browser's cookie.
Once I removed the cookie from the browser, a new one was stored in redis as well. As expected.

Looks good to me.

Lxstr commented 6 months ago

Awesome, thanks!

Lxstr commented 5 months ago

Fixed in 0.6.0