[Flask] Session id reuse and Flask-session question

Ritesh Nadhani riteshn at gmail.com
Wed Aug 16 13:18:20 EDT 2017


Thanks.

That is what I needed. This seems to be what I needed and now the
session id is cleared.

On Wed, Aug 16, 2017 at 8:50 AM, Bryan Corralejo <corralejob at gmail.com> wrote:
> Ritesh,
>
> Do you use session.clear() to clear the session on logout or invalidate using some other method? Also is the session modified before clear it ? Maybe using flash ?
>
> Regards,
>
> Bryan
>
>
>
>> On Aug 16, 2017, at 10:41 AM, Ritesh Nadhani <riteshn at gmail.com> wrote:
>>
>> Hello
>>
>> We are using Flask-Session (with RedisSession) for our session
>> management. Recently, during a security review it was found that we
>> can do session reuse in our system.
>>
>> Basically, the steps is:
>>
>> a) Log back in, we get a session id and stored in cookie
>> b) Log back out, we invalidate the data attached to the session id but
>> the session id is still present in the cookie.
>> c) Log back in and the session id is reused with the data validated.
>>
>> Now between, step (a) and (b) if somebody gets access to the token
>> they will be able to reuse it again once the user logs back in and the
>> data associated to the session_id is valid again.
>>
>> Looking at the problem, it seems the best way would be to delete the
>> cookie when user logs out. I was reviewing the code and it seems this
>> is the place where the relevant code path happens:
>>
>> https://github.com/fengsp/flask-session/blob/master/flask_session/sessions.py#L144
>>
>> But I am not really sure how this code path is valid (not session and
>> session.modified) for the next two lines of code to executed. How is
>> this condition met?
>>
>> This seems to be a generic problem? How do you guys solve it or how
>> even non-Flask frameworks solve it?
>>
>> NOTE: we do run everything over HTTPs with SecureOnly; flag set in the cookie.
>>
>> --
>> Ritesh
>> _______________________________________________
>> Flask mailing list
>> Flask at python.org
>> https://mail.python.org/mailman/listinfo/flask



-- 
Ritesh


More information about the Flask mailing list