Added session destruction and regeneration support

[twolfson]

While working with flask-session, we realized we wanted to prevent session fixation attacks. These are attacks which involve a user's session id not being rotated on login nor fully erased on logout. In order to remedy that, we are adding 2 methods:

• session_interface.destroy - Erases underlying store data and deletes user cookie (used during logout)
• session_interface.regenerate - Generates a new session id and deletes old store data (used during login)

In this PR:

• Added tests for destroy behavior (old behavior of setting flask.session to None or {} wasn't working since _permanent was being held)
• Added tests for regenerate behavior
• Added session_interface.destroy and session_interface.regenerate

Notes: It's not clear whether this should live in flask or flask-session but this was definitely the simpler solution for now. I will be opening a sibling issue on flask to get feedback.

[twolfson]

I am realizing that we can make the API cleaner by passing session_interface to the session constructor itself. This would allow forsession.destroy() calls which under the hood has session invoke self._interface.destroy(self).

[twolfson]

On the Flask thread, we concluded that it's a pretty bad idea to store anything as an attribute on session as it could get picked up by a serializer (e.g. pickle).

[mmautner]

:+1:

[StephanDollberg]

Any updates on this? I think it's pretty important and hacked something similar together for one of my projects. (Is this project even still active?)

[kgritesh]

Wanted to know if there is any update on this as well

[jeffsuarez]

👍

[cowbert]

Isn't this is an incomplete implementation anyway, since you only modified the Redis interface?

[Lxstr]

Session regeneration should be provided in flask 0.7.0, 0.7.0rc2 is now available with session_interface.regenerate(). It seems we don't need the destroy method as session.clear() should now result in session data being deleted as _permanent is ignored in boolean evaluation of session. Reopen a new issue if anyone believes a specific destroy function is needed.