Closed twolfson closed 6 months ago
I am realizing that we can make the API cleaner by passing session_interface
to the session
constructor itself. This would allow forsession.destroy()
calls which under the hood has session
invoke self._interface.destroy(self)
.
On the Flask thread, we concluded that it's a pretty bad idea to store anything as an attribute on session
as it could get picked up by a serializer (e.g. pickle
).
:+1:
Any updates on this? I think it's pretty important and hacked something similar together for one of my projects. (Is this project even still active?)
Wanted to know if there is any update on this as well
👍
Isn't this is an incomplete implementation anyway, since you only modified the Redis interface?
Session regeneration should be provided in flask 0.7.0, 0.7.0rc2 is now available with session_interface.regenerate(). It seems we don't need the destroy method as session.clear() should now result in session data being deleted as _permanent is ignored in boolean evaluation of session. Reopen a new issue if anyone believes a specific destroy function is needed.
While working with
flask-session
, we realized we wanted to prevent session fixation attacks. These are attacks which involve a user's session id not being rotated on login nor fully erased on logout. In order to remedy that, we are adding 2 methods:session_interface.destroy
- Erases underlying store data and deletes user cookie (used during logout)session_interface.regenerate
- Generates a new session id and deletes old store data (used during login)In this PR:
flask.session
toNone
or{}
wasn't working since_permanent
was being held)session_interface.destroy
andsession_interface.regenerate
Notes: It's not clear whether this should live in
flask
orflask-session
but this was definitely the simpler solution for now. I will be opening a sibling issue onflask
to get feedback.