Flask-Session extension vs default session
Question:
I’m using:
from flask import session
@app.route('/')
def main_page():
if session.get('key'):
print ("session exist" + session.get('key'))
else:
print ("could not find session")
session['key'] = '34544646###########'
return render_template('index.html')
I don’t have the Flask-Session extension installed but this still works fine. I’m trying to understand why and when is that extension imp to me. As far as I see, the default session works well for me.
Answers:
The difference is in where the session data is stored.
Flask’s sessions are client-side sessions. Any data that you write to the session is written to a cookie and sent to the client to store. The client will send the cookie back to the server with every request, that is how the data that you write in the session remains available in subsequent requests. The data stored in the cookie is cryptographically signed to prevent any tampering. The SECRET_KEY setting from your configuration is used to generate the signature, so the data in your client-side sessions is secure as long as your secret key is kept private. Note that secure in this context means that the data in the session cannot be modified by a potential attacker. The data is still visible to anybody who knows how to look, so you should never write sensitive information in a client-side session.
Flask-Session and Flask-KVSession are two extensions for Flask that implement server-side sessions. These sessions work exactly in the same way as the Flask native sessions from the point of view of your application, but they store the data in the server. The data is never sent to the client, so there is a bit of increased security. The client still receives a signed cookie, but the only data in the cookie is a session ID that references the file or database index in the server where the data is stored.
from flask import session
Cookies of all session data is stored client-side.
Pros:
Validating and creating sessions is fast (no data storage)
Easy to scale (no need to replicate session data across web servers)
Cons:
Sensitive data cannot be stored in session data, as it’s stored on the web browser
Session data is limited by the size of the cookie (usually 4 KB)
Sessions cannot be immediately revoked by the Flask app
from flask_session import Session
Session data is stored server side.
Pros:
Sensitive data is stored on the server, not in the web browser
You can store as much session data as you want without worrying about the cookie size
Sessions can easily be terminated by the Flask app
Cons:
Difficult to set up and scale
Increased complexity since session state must be managed
*this information is from Patrick Kennedy on this excellent tutorial: https://testdriven.io/blog/flask-server-side-sessions/
Session
A session makes it possible to remember information from one request to another. The way Flask does this is by using a signed cookie. Cookie can be modified unless they have SECRET KEY. Save in Client Side unless permanent is set to TRUE(boolean). If Permanent is set True, it’s store in the server default 31 days unless it mentioned PERMANENT_SESSION_LIFETIME in flask app.
Flask-Session:
Flask-Session is an extension for Flask that adds support for Server-side Session to your application. It’s main goal to store the session in Server side
Server Side method are
- redis: RedisSessionInterface
- memcached: MemcachedSessionInterface
- filesystem: FileSystemSessionInterface
- mongodb: MongoDBSessionInterface
- sqlalchemy: SqlAlchemySessionInterface
Flask-Session is an extension of Session.
Bases on config method it’s over write the existing session saving method.
flask.sessions.SessionInterface: SessionInterface is the basic interface you have to implement in order to replace the default session interface which uses flask(werkzeug’s) secure cookie implementation.
The only methods you have to implement are open_session() and save_session(), the others have useful defaults which you don’t need to change.
Based on this, they are updating the session in the selected storage
Session Interface
Reference Links:
`
I’m using:
from flask import session
@app.route('/')
def main_page():
if session.get('key'):
print ("session exist" + session.get('key'))
else:
print ("could not find session")
session['key'] = '34544646###########'
return render_template('index.html')
I don’t have the Flask-Session extension installed but this still works fine. I’m trying to understand why and when is that extension imp to me. As far as I see, the default session works well for me.
The difference is in where the session data is stored.
Flask’s sessions are client-side sessions. Any data that you write to the session is written to a cookie and sent to the client to store. The client will send the cookie back to the server with every request, that is how the data that you write in the session remains available in subsequent requests. The data stored in the cookie is cryptographically signed to prevent any tampering. The SECRET_KEY setting from your configuration is used to generate the signature, so the data in your client-side sessions is secure as long as your secret key is kept private. Note that secure in this context means that the data in the session cannot be modified by a potential attacker. The data is still visible to anybody who knows how to look, so you should never write sensitive information in a client-side session.
Flask-Session and Flask-KVSession are two extensions for Flask that implement server-side sessions. These sessions work exactly in the same way as the Flask native sessions from the point of view of your application, but they store the data in the server. The data is never sent to the client, so there is a bit of increased security. The client still receives a signed cookie, but the only data in the cookie is a session ID that references the file or database index in the server where the data is stored.
from flask import session
Cookies of all session data is stored client-side.
Pros:
Validating and creating sessions is fast (no data storage)
Easy to scale (no need to replicate session data across web servers)
Cons:
Sensitive data cannot be stored in session data, as it’s stored on the web browser
Session data is limited by the size of the cookie (usually 4 KB)
Sessions cannot be immediately revoked by the Flask app
from flask_session import Session
Session data is stored server side.
Pros:
Sensitive data is stored on the server, not in the web browser
You can store as much session data as you want without worrying about the cookie size
Sessions can easily be terminated by the Flask app
Cons:
Difficult to set up and scale
Increased complexity since session state must be managed
*this information is from Patrick Kennedy on this excellent tutorial: https://testdriven.io/blog/flask-server-side-sessions/
Session
A session makes it possible to remember information from one request to another. The way Flask does this is by using a signed cookie. Cookie can be modified unless they have SECRET KEY. Save in Client Side unless permanent is set to TRUE(boolean). If Permanent is set True, it’s store in the server default 31 days unless it mentioned PERMANENT_SESSION_LIFETIME in flask app.
Flask-Session:
Flask-Session is an extension for Flask that adds support for Server-side Session to your application. It’s main goal to store the session in Server side
Server Side method are
- redis: RedisSessionInterface
- memcached: MemcachedSessionInterface
- filesystem: FileSystemSessionInterface
- mongodb: MongoDBSessionInterface
- sqlalchemy: SqlAlchemySessionInterface
Flask-Session is an extension of Session.
Bases on config method it’s over write the existing session saving method.
flask.sessions.SessionInterface: SessionInterface is the basic interface you have to implement in order to replace the default session interface which uses flask(werkzeug’s) secure cookie implementation.
The only methods you have to implement are open_session() and save_session(), the others have useful defaults which you don’t need to change.
Based on this, they are updating the session in the selected storage
Session Interface
Reference Links:
`