Flask permanent session: where to define them?
I'm surprised no on has answered this question. It seems like there should be some type of config variable SESSION_PERMANENT = True
. But unfortunately there isn't. As you mentioned this is the best way to do it.
@app.before_requestdef make_session_permanent(): session.permanent = True
Should you use PERMANENT_SESSION_LIFETIME
and session.permanent
?
What you actually want to do is probably expiring users' sign-in status. However, this configuration expires the session object/cookie which contains the users' sign-in status as well as (potentially) some other data that you stored in session
.
Do you need to set session.permanent
?
According to Flask's doc:
Flaskās default cookie implementation validates that the cryptographic signature is not older than this value.
session.permanent
is an add-on of PERMANENT_SESSION_LIFETIME
. Sometimes it is okay if you do not set session.permanent
to True.
If you do not set session.permanent
, the session cookie's lifetime will not be affected by PERMANENT_SESSION_LIFETIME
. But Flask will look at PERMANENT_SESSION_LIFETIME
and a timestamp in the session cookie, to see if the session cookie is still valid. If the timestamp is too older than specified by PERMANENT_SESSION_LIFETIME
, it will be ignored. But the cookie still exists.
This is how Flask ignores session cookie:
def open_session(self, app, request): s = self.get_signing_serializer(app) if s is None: return None val = request.cookies.get(app.session_cookie_name) if not val: return self.session_class() max_age = total_seconds(app.permanent_session_lifetime) try: data = s.loads(val, max_age=max_age) return self.session_class(data) except BadSignature: return self.session_class()
If you set session.permanent=True
, the validation will still be done. And what's more, the session cookie will expire and be deleted from the browser after PERMANENT_SESSION_LIFETIME
.
This is how PERMANENT_SESSION_LIFETIME
control the expiration of the cookie:
def get_expiration_time(self, app, session): if session.permanent: return datetime.utcnow() + app.permanent_session_lifetimedef save_session(self, app, session, response): ... expires = self.get_expiration_time(app, session) val = self.get_signing_serializer(app).dumps(dict(session)) response.set_cookie( app.session_cookie_name, val, expires=expires, httponly=httponly, domain=domain, path=path, secure=secure, samesite=samesite )
Do you need to set session.permanent
for every request?
session.permanent
by default is actually session['_permanent']
. Its value will stay in session
.But if you are going to assign it only when users sign in, keep alert by checking how users can by-pass the sign-in route to sign in. For example, by signing up.
I choose what you said "login_user()"
@asset.route('/login', methods=['GET', 'POST'])def login(): #After Verify the validity of username and password session.permanent = True
if it set at app.before_request, This will lead to set them too may times.