Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Migrate from flask.session to a dedicated cookie
See original GitHub issueThis has been on my mind for a while, especially as there have been multiple bugs related to incorrectly or partially purging Flask’s session of our library’s keys. While session may seem like a convenient place to store Flask-Login’s state, it risks clobbering application data (what happens when the application has a user_id key, for instance; we have a conflict and data loss occurs). A much more robust solution is to use a separate cookie: this is how Flask-Seasurf has always worked. A downside to this approach is that libraries which facilitate server-side session objects are no longer viable. However, I see this as a feature: server-side cookies do not scale and are in my opinion not worth supporting–it isn’t the kind of design we should be promoting.
This is a planned feature of 0.4.0.
Issue Analytics
- State:
- Created 8 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think we want to get away from using Flask’s session object–there isn’t really a benefit to it and it leads to complications. Ultimately Flask’s session object is outside the scope of this library and so we risk any number of unintended consequences by not bringing that scope back into the library.
What I suggest is we implement an abstraction that allows the library consumer to decide what class sessions are built with. Such objects should be compatible with Flask’s sessions (i.e. present the same API) and could simply default to
flask.sessions.SecureCookieSessionto begin with. Once that’s done, we should bring the entire interface into the library and use our own implementation as the default.So the requirements for moving to a separate cookie are:
Flask.sessionbecause we don’t want to implement all that logic againThe docs on sessions don’t seem very intuitive… is it absolutely necessary to use a separate session cookie? Is this just to prevent deleting non-Flask-Login related session keys when logging the user out? We could just have a boolean config that let’s the user choose to clear the whole session or only Flask-Login related keys?