search

pallets-eco / flask-session

Server side session extension for Flask
https://flask-session.readthedocs.io
BSD 3-Clause "New" or "Revised" License
501 stars 239 forks source link

PERMANENT_SESSION_LIFETIME Not Enforced with FileSystemSessionInterface #81

Closed dbohannon closed 7 months ago

dbohannon commented 6 years ago

As I understand the documentation, the user's session should be deleted automatically (server-side) when the SESSION_PERMANENT option is enabled and the session has been idle longer than the PERMANENT_SESSION_LIFETIME value. However, in my application the session file is never removed when using the FileSystemSessionInterface.

from flask import Flask, session  
from flask_session import Session, FileSystemSessionInterface  
...  
app.config['SESSION_TYPE'] = 'filesystem'  
app.config['SECRET_KEY'] = 'donthardcodethisvalue!'  
app.config['SESSION_FILE_DIR'] = './my_sessions'  
app.config['SESSION_USE_SIGNER'] = True  
app.config['SESSION_FILE_MODE'] = 0644  
app.config['PERMANENT_SESSION_LIFETIME'] = 30   #timout in seconds  
app.config['SESSION_PERMANENT'] = True  

#create and configure flask-session  
sess = Session()  

#bind app to flask-session  
sess.init_app(app)  

#define routes ...

However, the session is removed server-side as expected when using the Redis interface. Am I missing something with the FileSystemSessionInterface?

Additionally, looking at the source, it appears that the PERMANENT_SESSION_LIFETIME is never passed to some of the other interfaces such as MongoDB or SQLAlchemy. Is the session automatically expired server-side when using these interfaces?

josephting commented 5 years ago

The session is paired up with uuid on client side's cookie so the PERMANENT_SESSION_LIFETIME is essentially used to set the expiry of cookie.

While the session will be invalidated if the cookie is deleted or has expired, the session data remains on the server albeit never be accessed anymore.

However, I would prefer to have expired session data removed from the server but that will depend on the behavior of werkzeug.contrib.cache package instead.

I doubt the files will be removed automatically but calling prune() may be able to clear all expired session data.

asheshv commented 5 years ago

werkzeug.contrib.cache is likely to be removed soon, as it is deprecated. Do you have any planning to use some other approach?

akashsenta13 commented 4 years ago

I am also facing similar issue with PERMANENT_SESSION_LIFETIME , which not removing data from session within mentioned time frame. I have used ServerSideSession

from flask_session.sessions import ServerSideSession

Lxstr commented 7 months ago

Should now be fixed from 0.6.0