[Flask] Flask Digest, Vol 38, Issue 4

CCP Dragonedge ccp at drsb.com.my
Wed Aug 15 23:03:23 EDT 2018 

Hi David,

Thanks for the answers! Very clear and concise - much appreciated.
p


Message: 2
> Date: Wed, 15 Aug 2018 15:04:38 +0200
> From: David Nieder <davidnieder at gmx.de>
> To: flask at python.org
> Subject: Re: [Flask] Flask sessions management and Flask-Login
> Message-ID: <b4b72941-116a-52d3-9f10-b8a127f0fe81 at gmx.de>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi
> It has been a while since I used flask but I will try to answer your
> questions.
>
> Flask uses cookie based sessions. Everything you write to the 'session'
> dict gets transmitted to the client alongside the rest of your http
> response. On the next request the client (the browser) sends everything
> back to the server and Flask makes the data available to your app via
> the session object.
> Make sure to set 'SECRET_KEY' in your application so the framework can
> cryptographically sign your data, but I think Flask will warn you about
> that.
>
> Now, to your questions.
>
> On 8/15/18 3:54 AM, CCP Dragonedge wrote:
> > Hi,
> >
> > I've been going over the documentation about sessions management and
> > Flask-Login, and just want to make sure my understanding is correct.
> >
> > Let's say I have my login and logout code as such (this is pseudo-code):
> >
> > def login:
> >
> >     if USER_IS_VALID():
> >        session['userID'] = str(FROM_DATABASE(username, password))
> >
> > def logout:
> >     session.pop('userID')
> >
> > This is sufficient to make sure that after a user logs out, someone can't
> > go and just click on the browser's Back button and steal that user's
> > session - provided that every page always makes sure that userID is in
> the
> > session - right?
>
> Yes, as long as an attacker doesn't manage to steal the cookie, you
> should be fine.
>
> > > But I assume the above approach is NOT sufficient to handle concurrent
> > users. Is that correct?
>
> No, every user has its own session.
>
> >
> > So, to handle concurrent users (i.e. keeping their session data apart),
> one
> > should use Flask-Login?
>
> Flask-Login helps you with common tasks such as logging an user in and
> out and restricting some of your views to logged-in users.
> You do not need to work with the session object directly anymore.
>
> >
> > Finally, Flask-Login documentation doesn't say it specifically, but all
> the
> > examples that I've seen online assume the use of Flask-SQLAlchemy. Has
> > anyone used Flask-Login without using Flask-SQLAlchemy? I ask because the
> > database portion of the legacy code that I'm working on has Python
> routines
> > to access and manipulate the data (kind of like my pseudo-code; security
> > reasons). But I can't actually get at SQL statements (i.e. I don't know
> > exactly the table structure).
>
> No, what kind of ORM or database you use is entirely up to you. You just
> need a way to tell if the credentials a user provides when logging-in
> are correct and some unique ID to tell your users apart.
>
> >
> > If anyone could confirm my suspicions, I would appreciate it greatly.
> >
> > Thanks,
> > p
> >
>
> I hope this clarified things a bit for you.
>
> Happy coding,
> David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20180816/c5801d43/attachment.html>

More information about the Flask mailing list