How to securely store credentials per session in Flask
I would definitely use something like Flask-KVSession
to store the user's credentials in the server-side session (+1 for that - I hadn't seen that extension before). That will ensure that you are not passing the user's credentials back and forth in a cookie. I would add Flask-Login
to deal with the more interesting parts of session management without having to discover all the issues yourself.
Dropping the credentials into app.config
is not a good idea because app.config
is not a LocalProxy
and therefore is not thread-safe. You are not guaranteed that changes you make to app.config
for one request will not wind up affecting other requests. (You can read more about context locals here and here).