pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Forcibly destroy existing session on logout.

Browse Source 
To comply with security guidelines, we need to destroy the session when
a user logs out. This means that the session's key in the Redis cache
needs to be deleted. Flask expects to _always_ have a session object. If
the current session object does not exist in the Redis cache, Flask will
reserialize and store it at the end of the request. In order for
session deletion to work, we need to delete the key for the existing
session and then replace the session object with a new, empty one.

This also updates the SessionLimiter class so that the session prefix is
configurable.
This commit is contained in:
dandds
2020-01-19 16:05:54 -05:00
parent 0fa4fd2304
commit 944c5d3c9f
6 changed files with 63 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/base.ini
View File

@@ -42,6 +42,7 @@ SECRET_KEY = change_me_into_something_secret
SERVER_NAME
SESSION_COOKIE_NAME=atat
SESSION_COOKIE_DOMAIN
SESSION_KEY_PREFIX=session:
SESSION_TYPE = redis
SESSION_USE_SIGNER = True
SQLALCHEMY_ECHO = False