I wanted to use the built-in session dict in Flask for convenience, but after doing more reading, it seems that tracking session info on the server is going to be better, especially for any data info that shouldn't be in the client cookie. If a user logs in, does some manipulations, those actions should be tracked for that particular session and user.
Anybody using Flask-Session for this? What are some good practices here? Any other random advice? Thanks. Just getting started.
In terms of security, Flask built in session is safe to the most extent. Using your app-secret, it is able to encrypt the cookie loosely (someone can still decrypt it) and also add an integrity check afterward (so anyone who actually edits the cookie randomly and not encrypting with the app-secret will make flask reject it). But I see your concern here.
Unfortunately, you have requested those who use Flask-Session extension to respond to this post. I for one, do not use it. Aside from the blurb I gave above, I am no help. Sorry
Thanks a lot. Implementation doesn't have to be Flask-Session. I'm wondering more about conceptual good practices. Essentially it seems like the cookie has some session identifier (that cannot be accessed) so that the Flask app knows (without any reliance on the server side) that there is a session, e.g., with a specific user logged in. However, if my app wants to save some state on the server, it will need to do that some other way (database, redis, Flask-Session, etc. - whatever might make sense implementation-wise). For example, some temporary data useful during the session such as some kind of image edit could be saved for the session only, then deleted when the session is done. In addition, the security concern seems to be to not put anything sensitive in the built-in session variable. Otherwise it sounds ok to use.
It sounds like my app needs to come up with its own (long-random string) session ID, store it in the session dict, access it server-side, match it to user-id, use those two data to identify temporary session data for that user and that session, destroy the session ID afterwards (on auto-logout, logout, or browser tab/window close, I suppose). I think that is the right pattern but am not sure. At first I thought it's such a common pattern that either Flask's session or Flask-Session would make it really easy.
Edit: also, can we use the built in session['csrf_token'] as a built-in session ID?
Thanks for any thoughts.
