[Flask] Flask sessions management and Flask-Login

David Nieder davidnieder at gmx.de
Wed Aug 15 09:04:38 EDT 2018 

Hi
It has been a while since I used flask but I will try to answer your 
questions.

Flask uses cookie based sessions. Everything you write to the 'session' 
dict gets transmitted to the client alongside the rest of your http 
response. On the next request the client (the browser) sends everything 
back to the server and Flask makes the data available to your app via 
the session object.
Make sure to set 'SECRET_KEY' in your application so the framework can 
cryptographically sign your data, but I think Flask will warn you about 
that.

Now, to your questions.

On 8/15/18 3:54 AM, CCP Dragonedge wrote:
> Hi,
> 
> I've been going over the documentation about sessions management and
> Flask-Login, and just want to make sure my understanding is correct.
> 
> Let's say I have my login and logout code as such (this is pseudo-code):
> 
> def login:
> 
>     if USER_IS_VALID():
>        session['userID'] = str(FROM_DATABASE(username, password))
> 
> def logout:
>     session.pop('userID')
> 
> This is sufficient to make sure that after a user logs out, someone can't
> go and just click on the browser's Back button and steal that user's
> session - provided that every page always makes sure that userID is in the
> session - right?

Yes, as long as an attacker doesn't manage to steal the cookie, you 
should be fine.

> > But I assume the above approach is NOT sufficient to handle concurrent
> users. Is that correct?

No, every user has its own session.

> 
> So, to handle concurrent users (i.e. keeping their session data apart), one
> should use Flask-Login?

Flask-Login helps you with common tasks such as logging an user in and 
out and restricting some of your views to logged-in users.
You do not need to work with the session object directly anymore.

> 
> Finally, Flask-Login documentation doesn't say it specifically, but all the
> examples that I've seen online assume the use of Flask-SQLAlchemy. Has
> anyone used Flask-Login without using Flask-SQLAlchemy? I ask because the
> database portion of the legacy code that I'm working on has Python routines
> to access and manipulate the data (kind of like my pseudo-code; security
> reasons). But I can't actually get at SQL statements (i.e. I don't know
> exactly the table structure).

No, what kind of ORM or database you use is entirely up to you. You just 
need a way to tell if the credentials a user provides when logging-in 
are correct and some unique ID to tell your users apart.

> 
> If anyone could confirm my suspicions, I would appreciate it greatly.
> 
> Thanks,
> p
> 

I hope this clarified things a bit for you.

Happy coding,
David

More information about the Flask mailing list