[Flask] Flask sessions management and Flask-Login
David Nieder
davidnieder at gmx.de
Wed Aug 15 09:04:38 EDT 2018
Hi
It has been a while since I used flask but I will try to answer your
questions.
Flask uses cookie based sessions. Everything you write to the 'session'
dict gets transmitted to the client alongside the rest of your http
response. On the next request the client (the browser) sends everything
back to the server and Flask makes the data available to your app via
the session object.
Make sure to set 'SECRET_KEY' in your application so the framework can
cryptographically sign your data, but I think Flask will warn you about
that.
Now, to your questions.
On 8/15/18 3:54 AM, CCP Dragonedge wrote:
> Hi,
>
> I've been going over the documentation about sessions management and
> Flask-Login, and just want to make sure my understanding is correct.
>
> Let's say I have my login and logout code as such (this is pseudo-code):
>
> def login:
>
> if USER_IS_VALID():
> session['userID'] = str(FROM_DATABASE(username, password))
>
> def logout:
> session.pop('userID')
>
> This is sufficient to make sure that after a user logs out, someone can't
> go and just click on the browser's Back button and steal that user's
> session - provided that every page always makes sure that userID is in the
> session - right?
Yes, as long as an attacker doesn't manage to steal the cookie, you
should be fine.
> > But I assume the above approach is NOT sufficient to handle concurrent
> users. Is that correct?
No, every user has its own session.
>
> So, to handle concurrent users (i.e. keeping their session data apart), one
> should use Flask-Login?
Flask-Login helps you with common tasks such as logging an user in and
out and restricting some of your views to logged-in users.
You do not need to work with the session object directly anymore.
>
> Finally, Flask-Login documentation doesn't say it specifically, but all the
> examples that I've seen online assume the use of Flask-SQLAlchemy. Has
> anyone used Flask-Login without using Flask-SQLAlchemy? I ask because the
> database portion of the legacy code that I'm working on has Python routines
> to access and manipulate the data (kind of like my pseudo-code; security
> reasons). But I can't actually get at SQL statements (i.e. I don't know
> exactly the table structure).
No, what kind of ORM or database you use is entirely up to you. You just
need a way to tell if the credentials a user provides when logging-in
are correct and some unique ID to tell your users apart.
>
> If anyone could confirm my suspicions, I would appreciate it greatly.
>
> Thanks,
> p
>
I hope this clarified things a bit for you.
Happy coding,
David
More information about the Flask
mailing list