Skip to content
Advertisement

Why is flask-session in plain text?

I have a server-side session file created and I am new to web applications. I don’t understand why the session files when opened with text file has plain content inside it. I have a secret key setup and all but why is it not encrypted?

from flask import Flask, render_template, request, redirect, url_for, session, flash
from flask_sessions import Session

app = Flask(__name__)
app.config['SECRET_KEY'] = 'keykeykey'
app.config["SESSION_PERMANENT"] = False
app.config["SESSION_TYPE"] = "filesystem"
app.config['SESSION_USE_SIGNER'] = True
server_session = Session(app)

And on login the file route is

app.route('/login', methods=['GET', 'POST'])
def login_page():
   session['email'] = email
   return redirect(url_for('home_page'))

And on logout the route is

@app.route("/logout")
def logout():
    session.pop('email', None)
    return redirect(url_for("home_page"))

WHen the session is started a file is created in dir/flask-sessions/2029240f6d1128be89ddc32729463129, there are two files generated for each time and when I open it with notepad I can see the email id in plain text that is

Mø`.€•i       }”(Œ
_permanent”ˆŒ
csrf_token”Œ(fb90d22be1adc1237c52730fadf95d1e07936cdd9e”Œemail”Œemail@email.com”u.

the ending email@email.com is the input from the form.

My questions are

  1. Why is the content not encrypted even though it is stored in my server?
  2. When I do session.pop() why is the file not deleted?

EDIT: I guess the issue is because I use from cachelib import FileSystemCache instead of from werkzeug.contrib.cache import FileSystemCache?? Is that the issue? How can I overcome this as latest version of werkzeug doesn’t have .contrib?

Advertisement

Answer

Trying to answer it to the best of my knowledge.

1) Why is the content not encrypted?

You do not really need to worry about the session stored in your server as long as your server is secured. The vulnerability is the session stored as cookies in the browser. To bypass that, the ‘SECRET_KEY’ is used to let the server sign the session variables before storing them in the browser. That is the reason why you might still see the session in plain text on the server. It will be signed in the browser cookie-data though.

2) When I do session.pop() why is the file not deleted?

To understand what the session.pop does, I did a little exercise. At first, my flask session looked like this:

Session is:  <SecureCookieSession {'id': '27260b14-405d-440a-9e38-daa32d9a7797', 'loggedin': True, 'username': 'Rajat Yadav'}>

When I pop all the keys in the session dict mapping, I am left with this:

New Session is:  <SecureCookieSession {}>

The clarity is that the key:value pair gets deleted as we pop the session. One thing for sure is that pop does not delete the complete dictinary object but just the key:value pair inside. To your question of the file not getting deleted, I believe deleting the dictionary object should do the trick. Try:

del session

Let me know if this deletes the file.

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement