Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoking sessions #222

Open
Lxstr opened this issue Mar 19, 2024 · 2 comments
Open

Revoking sessions #222

Lxstr opened this issue Mar 19, 2024 · 2 comments
Labels
help wanted

Comments

@Lxstr
Copy link
Contributor

Lxstr commented Mar 19, 2024

christopherpickering#21

As noted in this fork, revoking sessions using an alternative id method. It is possible we have an alternative id that is used to link the the actual user data. If we change the alternative id in the user data (probably stored on database) then the session no longer links to that data and becomes invalid. This method seems ok but there would be some implementation logic. It would also seem strange storing session information, we could store things in the session but we would have to check the alternative id matches a user in the database every time we use any session data. It's possible then that you could be storing all the session info in the database and only keep the alternative id in the session storage (eg redis).

The other option is storing a list of session ids the the database which can be used to delete those sessions from storage if the user desires. It could even be a list of abbreviated session-ids and the relevant user agent if it needs to be presented to the user.

I suspect that flask-session need not really be involved in either of these options, but open to input
@Lxstr
Copy link
Contributor Author

Lxstr commented Mar 19, 2024

Second option example


@app.route("/login/", methods=["POST", "GET"])
def login():

    form = LoginForm()
    if form.validate_on_submit():
        email = form.email.data
        password = form.password.data
        try:
            auth.login(email, password)
        except Exception as e:
            return redirect("/login")

        # Mitigate session fixation attacks
        # If the session is not empty (/add-apple/ was previously visited), the session will be regenerated
        old_session_id = session.sid
        app.session_interface.regenerate(session)
        new_session_id = session.sid
        
        # Assuming there's a function update_session_ids(old_id, new_id) defined elsewhere that handles the database update
        # This updates a list of session ids associated with a user in the main database (not session storage)
        update_session_ids(old_session_id, new_session_id, session["user_id"])

        session["logged_in"] = True
        return "logged in"

@ddorian
Copy link

ddorian commented Aug 16, 2024

One way would be to store the data column as json(b) in the database. If you store the user_id in it, then you can query it as you like.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ddorian @Lxstr