Forcibly destroy existing session on logout.
To comply with security guidelines, we need to destroy the session when a user logs out. This means that the session's key in the Redis cache needs to be deleted. Flask expects to _always_ have a session object. If the current session object does not exist in the Redis cache, Flask will reserialize and store it at the end of the request. In order for session deletion to work, we need to delete the key for the existing session and then replace the session object with a new, empty one. This also updates the SessionLimiter class so that the session prefix is configurable.
This commit is contained in:
dandds
@@ -255,6 +255,7 @@ To generate coverage reports for the Javascript tests:
|
||||
- `SERVER_NAME`: Hostname for ATAT. Only needs to be specified in contexts where the hostname cannot be inferred from the request, such as Celery workers. https://flask.palletsprojects.com/en/1.1.x/config/#SERVER_NAME
|
||||
- `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME
|
||||
- `SESSION_COOKIE_DOMAIN`: String value specifying the name to use for the session cookie. This should be set to the root domain so that it is valid for both the main site and the authentication subdomain. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_DOMAIN
|
||||
- `SESSION_KEY_PREFIX`: A prefix that is added before all session keys: https://pythonhosted.org/Flask-Session/#configuration
|
||||
- `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/
|
||||
- `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed.
|
||||
- `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout.
|
||||
|
||||
Reference in New Issue
Block a user