Flask: How To Prevent Replay Attacks

时间:2015-06-15 15:08:12

标签: python session flask flask-login

I'm trying to implement a logic in my Flask application to prevent reply attacks. Regarding to the question asked here, My idea is to set the current session lifetime when user logs out from the system. In general, it is suggested to set the session lifetime this way:

@app.before_request
def before_request():
    session.permanent = True
    app.permanent_session_lifetime = timedelta(minutes=10)

However, I want to set my current session life time when user logs out from the system. Something like the following code:

@app.after_request
def app_after_request(response):
    response.headers["X-Frame-Options"] = "SAMEORIGIN"
    if "__logged_out__" in session and session["__logged_out__"] is True:
        session.clear()
        response.set_cookie(app.session_cookie_name, '', expires=0)
    return response

I also checked this question, but the problem is that I'm dealing with some confidential data and I have to ensure that session is cleared after user logged out from the system. Is there any way to set one session lifetime after creation manually? or is there any easy way to handle this situation with flask-login?

1 个答案:

答案 0 :(得分:0)

我找到了解决方案。我应该简单地使用Flask-KVSession包将会话数据存储在数据库(或任何其他数据存储)中而不是服务器内存中。随着包裹网站的介绍:

  

Flask-KVSession是MIT许可的服务器端会话替换   Flask签署了基于客户端的会话管理。而不是存储   在客户端上的数据,只有一个安全生成的ID存储在   客户端,而实际的会话数据驻留在服务器上。

您还需要在数据库中创建一个键值配对表(默认情况下它已命名为会话,但您也可以更改名称和架构)并将其指向您的烧瓶应用对象。可以找到更多信息here