You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because the auth function does not hit the database on every request, it could be possible for a user be deleted from the database and that user to still actively use the session. Currently this does not happen as the bug #570 (infinite redirect) is hit instead.
Further, since the session uses the user's primary key (users.id) as the identifier, even if we fixed the logic to do a lookup on that value for every request, it would be impossible in invalidate the session without some additional logic being added to the app and DB.
Describe the solution you'd like
Just use Flask-Login
Add a session_id field to the users table (or a separate related sessions table). Use the session_id in the session token. Look up the user on every request, and add the User object to Flask.g so that only the session_id needs to be stored in the cookie.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
When we login a user, we set their session to contain the
user_id
here:hushline/hushline/routes.py
Line 399 in 74ca986
Our auth function is defined here:
hushline/hushline/utils.py
Lines 16 to 26 in 74ca986
Because the auth function does not hit the database on every request, it could be possible for a user be deleted from the database and that user to still actively use the session. Currently this does not happen as the bug #570 (infinite redirect) is hit instead.
Further, since the session uses the user's primary key (
users.id
) as the identifier, even if we fixed the logic to do a lookup on that value for every request, it would be impossible in invalidate the session without some additional logic being added to the app and DB.Describe the solution you'd like
Flask-Login
session_id
field to theusers
table (or a separate relatedsessions
table). Use thesession_id
in the session token. Look up the user on every request, and add theUser
object toFlask.g
so that only thesession_id
needs to be stored in the cookie.The text was updated successfully, but these errors were encountered: