Closed lanmaster53 closed 6 months ago
Maybe you could try to use a signer? Just set the SESSION_USE_SIGNER
to True
.
This may be helpful
This issue was moved to mcrowson/flask-session#5
Setting SESSION_USE_SIGNER
to True
may defend against some attacks, but it doesn't defend against session fixation attacks. As an attacker, I can do my own request to the app to have a valid session identifier created, signed and sent to me as a cookie. I can then extract that session identifier and use it in my attack.
Closed in favor of #27
Unless I'm missing something, I don't see where this module exposes the necessary APIs to prevent vulnerabilities such as Session Fixation. In a scenario where you need a pre-authenticated session, how would one create a new session, move the contents of the old session over to the new session, remove the old session, and update the cookie to reflect the token for the new session? I realize I can use
session.clear()
to remove the old session, but that is only 1/4 of the problem. Am I missing something? Or is that logic that has yet to be written?