[Flask] Session id reuse and Flask-session question

Ritesh Nadhani riteshn at gmail.com
Wed Aug 16 11:41:32 EDT 2017


We are using Flask-Session (with RedisSession) for our session
management. Recently, during a security review it was found that we
can do session reuse in our system.

Basically, the steps is:

a) Log back in, we get a session id and stored in cookie
b) Log back out, we invalidate the data attached to the session id but
the session id is still present in the cookie.
c) Log back in and the session id is reused with the data validated.

Now between, step (a) and (b) if somebody gets access to the token
they will be able to reuse it again once the user logs back in and the
data associated to the session_id is valid again.

Looking at the problem, it seems the best way would be to delete the
cookie when user logs out. I was reviewing the code and it seems this
is the place where the relevant code path happens:


But I am not really sure how this code path is valid (not session and
session.modified) for the next two lines of code to executed. How is
this condition met?

This seems to be a generic problem? How do you guys solve it or how
even non-Flask frameworks solve it?

NOTE: we do run everything over HTTPs with SecureOnly; flag set in the cookie.


More information about the Flask mailing list