python - Constant Flask Session IDs -

python - Constant Flask Session IDs -

i've flask application, served nginx+wsgi (fastcgi & gevent) , utilize standard flask sessions. not utilize session.permanent=true or other option, set secret_key in default configuration.

i not save (key,value) pairs in session, , rely on sid = session['_id'] entry identify returning user. utilize next code read sid:

@page.route ('/') def main (page='home', template='index.html'): if not request.args.get ('silent', false): print >> sys.stderr, "session id: %r" % session['_id']

i made next observations:

for same ip addresses, different browsers different sids - that's expected; for different ips & same browser 1 time again have different sids - expected; for same ip address same browser same sid - expected;

now, point (3) interesting because if delete corresponding cookie sid remains constant! extent might understandable, expecting sid alter between different cookies. difference see

session.new true

for first request after deletion of cookie. much expected; given these facts face next problems:

does mean different users sitting behind same ip (with same browser configuration) back-end error them same user?

if point (1) not case, current behavior of these "sticky" sessions quite pleasant, since avoids situation users might loose there info because deleted corresponding cookie.

they can still save day, revisiting site same network same browser. that, if point (1) not case.

i assume point (1) bite me, conclusion save token in session , hence take fate user can blow himself up, deleting cookie?

or there way tell flask give different sids each fresh cookie?

actually, question arouse since used load impact service, simulating different users (on same ip) back-end kept seeing them single user since corresponding sids same.

the application available tests @ http://webed.blackhan.ch (which upon release move https://notex.ch [a browser based text editor]). give thanks answers.

it looks you're using flask-login extension. here's code generates id token:

def _create_identifier(): base of operations = unicode("%s|%s" % (request.remote_addr, request.headers.get("user-agent")), 'utf8', errors='replace') hsh = md5() hsh.update(base.encode("utf8")) homecoming hsh.digest()

it's md5(ip_address + user_agent).

flask uses werkzeug's secure cookies store identifier. secure cookies (as name suggests) secure:

this module implements cookie not alterable client because adds checksum server checks for. can utilize session replacement if have user id or mark logged in user.

python session flask session-cookies sessionid