Invalidate an old session in Flask

Question

How do I create a new clean session and invalidate the current one in Flask?

Do I use make_null_session() or open_session()?

Answer 1

If you use default flask sessions and set the app.permanent_session_lifetime, then the session will not work if a user tries to replay the same session as long as the session has expired.If you look at the source code for open_session, there is line:

max_age = total_seconds(app.permanent_session_lifetime)
try:            
    data = s.loads(val, max_age=max_age)
    return self.session_class(data)
    except BadSignature:
        return self.session_class()

Answer 2

If you have security concerns (and everyone should have) There is the answer:

This is not REALLY possible

Flask uses cookie-based sessions. When you edit or delete session, you send a REQUEST to CLIENT to remove the cookie, normal clients (browsers) will do. But if session hijacked by an attacker, the attacker's session remains valid.

Answer 3

I do this by calling session.clear().

EDIT:

After reading your comment in another answer, I see that you're trying to prevent a replay attack that might be made using a cookie that was issued in the past. I solved that problem as much as possible* with this approach:

• Override SecureCookieSessionInterface.save_session(), copying the code from the overridden version rather than calling it.
• When the overridden version of save_session() calls save_cookie(), make it pass a session_expires argument 30 minutes in the future. This causes cookies more than 30 minutes old to be considered invalid.
• Make the overridden version of save_session() update a session variable every so often, to make sure the cookie and its session_expires time get rewritten regularly. (I name this session variable '_refresh' and store the current time in it, then rewrite it only if more than a few seconds have passed since the last-stored time. This optimization avoids rewriting the cookie on every HTTP request.)

Duplicating Flask code in the custom save_session() makes this approach a bit ugly and brittle, but it is necessary in order to change the arguments passed to save_cookie(). It would be nice if Flask made this easier, or at least implemented its own safeguard against replay attacks.

*WARNING: This approach by itself will not stop replay attacks that might happen during a session cookie's valid lifetime. This fundamental problem with cookie-based sessions is discussed in RFC 6896 and A Secure Cookie Protocol by Liu, Kovacs, Huang, Gouda.

Answer 4

You can add an after_request callback to remove the session cookie if a particular flag is set:

@app.after_request
def remove_if_invalid(response):
    if "__invalidate__" in session:
        response.delete_cookie(app.session_cookie_name)
    return response

Then you simply set that session key whenever you want to invalidate the session:

@app.route("/logout")
def logout():
    session["__invalidate__"] = True
    return redirect(url_for("index"))

See also: http://werkzeug.pocoo.org/docs/wrappers/#werkzeug.wrappers.BaseResponse.delete_cookie