[Flask] Session id reuse and Flask-session question
Bryan Corralejo
corralejob at gmail.com
Wed Aug 16 11:50:32 EDT 2017
Ritesh,
Do you use session.clear() to clear the session on logout or invalidate using some other method? Also is the session modified before clear it ? Maybe using flash ?
Regards,
Bryan
> On Aug 16, 2017, at 10:41 AM, Ritesh Nadhani <riteshn at gmail.com> wrote:
>
> Hello
>
> We are using Flask-Session (with RedisSession) for our session
> management. Recently, during a security review it was found that we
> can do session reuse in our system.
>
> Basically, the steps is:
>
> a) Log back in, we get a session id and stored in cookie
> b) Log back out, we invalidate the data attached to the session id but
> the session id is still present in the cookie.
> c) Log back in and the session id is reused with the data validated.
>
> Now between, step (a) and (b) if somebody gets access to the token
> they will be able to reuse it again once the user logs back in and the
> data associated to the session_id is valid again.
>
> Looking at the problem, it seems the best way would be to delete the
> cookie when user logs out. I was reviewing the code and it seems this
> is the place where the relevant code path happens:
>
> https://github.com/fengsp/flask-session/blob/master/flask_session/sessions.py#L144
>
> But I am not really sure how this code path is valid (not session and
> session.modified) for the next two lines of code to executed. How is
> this condition met?
>
> This seems to be a generic problem? How do you guys solve it or how
> even non-Flask frameworks solve it?
>
> NOTE: we do run everything over HTTPs with SecureOnly; flag set in the cookie.
>
> --
> Ritesh
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
More information about the Flask
mailing list