search

pallets-eco / flask-session

Server side session extension for Flask
https://flask-session.readthedocs.io
BSD 3-Clause "New" or "Revised" License
501 stars 239 forks source link

session.clear() not work correctly with mongodb #64

Closed efazati closed 1 year ago

efazati commented 7 years ago

I used session.clear() with mongodb back-end and delete cookie from client correctly but when user save cookie separately and send to server. I have session with this cookie. How can solve this problem?

vanastassiou commented 4 years ago

I'm not sure whether this is the same problem as the one I just worked around (Redis database for storing sessions). My problem looked like this:

  1. Logged-in user initiates a query
  2. User logs out before query completes
  3. New user logs in using same browser
  4. After new user successfully authenticates, old user's session is restored

I found that this was because Flask calls save_session() at the end of every request, which re-saves the requesting user's session to the back end. My work-around was as follows:

  1. In my server's login() function, add is_login: True attribute to the session immediately after the server returns a response containing the session
  2. Update save_session() to check for is_login early and:
    • Immediately save session to Redis store if True and remove the is_login attribute
    • Check for a Redis-stored session matching the request and return if none