19

Using the app below and Flask 0.11.1, I navigated to the routes associated with the following function calls, with the given results:

  • create(): '1,2,3' # OK
  • remove(1) : '2,3' # OK
  • remove(2) : '1,3' # expected '3'
  • maintain(): '1,2,3' # expected '1,3' or '3'

 

from flask import Flask, session

app = Flask(__name__)

@app.route('/')
def create():
    session['list'] = ['1','2','3']
    return ",".join(session['list'])

@app.route('/m')
def maintain():
    return ",".join(session['list'])

@app.route('/r/<int:id>')
def remove(id):
    session['list'].remove(str(id))
    return ",".join(session['list'])

if __name__ == '__main__':
    app.secret_key = "123"
    app.run()

This question is similar in theme to this question, this, and this one, but I'm setting the secret key and not regenerating it, and my variable is certainly not larger than the 4096 bytes allowed for cookies. Perhaps I'm missing some more basic understanding about Flask session variables?

Community
  • 1
  • 1
techmonk
  • 193
  • 1
  • 1
  • 5

3 Answers3

20

From the doc:

Be advised that modifications on mutable structures are not picked up automatically, in that situation you have to explicitly set the [modified attribute] to True yourself.

Try:

session['list'].remove(str(id))
session.modified = True
Robᵩ
  • 163,533
  • 20
  • 239
  • 308
16

Flask uses a CallbackDict to track modifications to sessions.

It will only register modifications when you set or delete a key. Here, you modify the values in place, which it will not detect. Try this:

@app.route('/r/<int:id>')
def remove(id):
    val = session['list']
    val.remove(str(id))
    session['list'] = val
    return ",".join(session['list'])

…and same with other changes.

Alternatively, you can flag the modification yourself instead of triggering the detection:

@app.route('/r/<int:id>')
def remove(id):
    session['list'].remove(str(id))
    session.modified = True
    return ",".join(session['list'])
spectras
  • 13,105
  • 2
  • 31
  • 53
1

I was having this same problem and I found out that my changes in the session were not persisting because my data was too big.

From here:

"By default, there isn't much difference between cookies and client-based sessions in Flask. As a result, the client-based sessions suffer from the same drawbacks the cookies have like:

  • Can't store sensitive data like passwords.
  • Additional payload on every request.
  • Can't store data more than 4KB.
  • Limit on the number of cookie per website and so on.

If your data is larger than 4KB, a server-side Session is needed. Have a look at Flask-Session.

Matheus Torquato
  • 1,293
  • 18
  • 25