What is session in flask?
I’ve been using flask for a long time and every time I just get my work done with session and auth without seeing what’s happening actually.
I read about JWT and have blogged it too. Thus sessions in flask intrigued me. Currently there is something as SECRET in flask app which is essential to use session. This SECRET is not doing encryption but it is used to sign the cookie. The data is base64 encoded. So it can easily be decoded. Thats why don’t keep your secret information in session data.
The session cookie is made of 3 parts :
Data . Modified Timestamp . Signature
This signature is SHA1 made with Data + Timestamp + SECRET.
So if data is tampered, the signature check will fail unless the person knows the secret. If one knows the secret then they can change the data and generate the new signature with the secret. This validation will be passed by flask and thus we are compromised.
How I solved the problem of one person not opening other person’s session?
My uri was of the form:
users/<id>/numbers
In my session, I have stored the value of userid and on every route access, I check if the <id> param matched the cookie value of userid. If it matches, then the user has access to that specific route.
Also to make it more complicated, set the <id> to uuid rather than numbers so that its difficult to guess the uuid of some other person.
Its also like JWT. Client-side-session. And the sessions are stateless.There is no db call made.
Great links: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce
You may contact the author at me@abhinavrai.com