fengsp
commented
8 years ago Maybe you could try to use a signer? Just set the SESSION_USE_SIGNER to True.
Closed lanmaster53 closed 6 months ago
fengsp
commented
8 years ago Maybe you could try to use a signer? Just set the SESSION_USE_SIGNER to True.
jtl999
commented
8 years ago This may be helpful
mcrowson
commented
7 years ago This issue was moved to mcrowson/flask-session#5
irgeek
commented
6 years ago Setting SESSION_USE_SIGNER to True may defend against some attacks, but it doesn't defend against session fixation attacks. As an attacker, I can do my own request to the app to have a valid session identifier created, signed and sent to me as a cookie. I can then extract that session identifier and use it in my attack.
Lxstr
commented
7 months ago Closed in favor of #27
Unless I'm missing something, I don't see where this module exposes the necessary APIs to prevent vulnerabilities such as Session Fixation. In a scenario where you need a pre-authenticated session, how would one create a new session, move the contents of the old session over to the new session, remove the old session, and update the cookie to reflect the token for the new session? I realize I can use
session.clear()to remove the old session, but that is only 1/4 of the problem. Am I missing something? Or is that logic that has yet to be written?