[Flask] Session id reuse and Flask-session question

Ritesh Nadhani riteshn at gmail.com
Wed Aug 16 13:18:20 EDT 2017


That is what I needed. This seems to be what I needed and now the
session id is cleared.

On Wed, Aug 16, 2017 at 8:50 AM, Bryan Corralejo <corralejob at gmail.com> wrote:
> Ritesh,
> Do you use session.clear() to clear the session on logout or invalidate using some other method? Also is the session modified before clear it ? Maybe using flash ?
> Regards,
> Bryan
>> On Aug 16, 2017, at 10:41 AM, Ritesh Nadhani <riteshn at gmail.com> wrote:
>> Hello
>> We are using Flask-Session (with RedisSession) for our session
>> management. Recently, during a security review it was found that we
>> can do session reuse in our system.
>> Basically, the steps is:
>> a) Log back in, we get a session id and stored in cookie
>> b) Log back out, we invalidate the data attached to the session id but
>> the session id is still present in the cookie.
>> c) Log back in and the session id is reused with the data validated.
>> Now between, step (a) and (b) if somebody gets access to the token
>> they will be able to reuse it again once the user logs back in and the
>> data associated to the session_id is valid again.
>> Looking at the problem, it seems the best way would be to delete the
>> cookie when user logs out. I was reviewing the code and it seems this
>> is the place where the relevant code path happens:
>> https://github.com/fengsp/flask-session/blob/master/flask_session/sessions.py#L144
>> But I am not really sure how this code path is valid (not session and
>> session.modified) for the next two lines of code to executed. How is
>> this condition met?
>> This seems to be a generic problem? How do you guys solve it or how
>> even non-Flask frameworks solve it?
>> NOTE: we do run everything over HTTPs with SecureOnly; flag set in the cookie.
>> --
>> Ritesh
>> _______________________________________________
>> Flask mailing list
>> Flask at python.org
>> https://mail.python.org/mailman/listinfo/flask


More information about the Flask mailing list