CSRF token mismatch in Apache Flask due to session reset
What happens here is that you store your sessions using Flask-KVSession
, and provide a memory based DictStore
as a storage:
from simplekv.memory import DictStorestore = DictStore()KVSessionExtension(store, app)
Root cause
In a single-threaded environment, this will work. However, when multiple processes comes into play, they do not share the same memory, and multiple instances of DictStore
are created, one per process. As a result, when two subsequent requests are served by two different processes, first request will not be able to pass session changes to a next request.
Or, even shorter: Two processes = two CSRF tokens. Not good.
Solution
Use a persistent storage. This is what I use:
def configure_session(app): with app.app_context(): if config['other']['local_debug']: store = simplekv.memory.DictStore() else: store = simplekv.db.sql.SQLAlchemyStore(engine, metadata, 'sessions') # Attach session store flask_kvsession.KVSessionExtension(store, app)