Session identifier overhaul: Randomly generated session identifier #757
Replies: 2 comments 1 reply
-
|
Flask-Login works regardless of what session provider is used. Flask documents how to override the session provider, or Flask-Session provides multiple server side integrations. This isn't something Flask-Login itself needs to handle. |
Beta Was this translation helpful? Give feedback.
-
|
I wasn't aware of server side integrations of the Session object, which fixes both problems (supposing the server side integration generates a random cookie which can be revoked). Maybe we could update the docs pointing out it is important to change to a server-side implementation of the session in order to avoid both problems. |
Beta Was this translation helpful? Give feedback.
-
|
I would also suggest creating a config variable for setting the key name from which to retrieve the user id, as |
Beta Was this translation helpful? Give feedback.
-
The session identifier model of Flask-Login presents 2 major weaknesses:
An alternative to this approach may be using random session identifiers for each session. These random identifiers are stored in the server, so each time a user presents one, it will be able to associate it with the correct user.
With this approach, these two weaknesses are completely wiped out, as each session will have a unique session identifier and, if an attacker manages to get a session identifier, it will be unique to that user. On the other side, invalidating sessions is a really simple process, as it is only necessary to pop out these identifiers from the server storage.
This idea is indeed supported by OWASP in this cheatsheet.
I am aware that this idea presents an important overhaul to the way this extension works, but I feel like security and simplicity are more important. Maybe someone could fork this project and change the way session identifiers work.
Beta Was this translation helpful? Give feedback.
All reactions