10

I'm using the latest Flask/Werkzeug (Flask 0.9) client-side sessions to persist information between requests. The session is not set to be persistent (as I'm fine with the cookie being deleted when the browser is closed).

My problem is as follows:

I use some server-side code to fill the Flask session variable with an entry. After this, the Session variable looks something like this:

<SecureCookieSession {u'items': SOMENOTVERYIMPORTANTDICTIONARY}, '_fresh': True, 'user_id': u'1', 'csrf': '0aef1995cdf2cxx0233fdf3321d17fc7267f3b32', '_id': 'someUNIQUEcode'}*>

I use this information to render a page that performs a GET request (through JQuery) to the same Flask application, but suddenly the dictionary containing the 'items' entry in the session is gone:

<SecureCookieSession {'_fresh': True, 'user_id': u'1', 'csrf': '0aef1995cdf2cxx0233fdf3321d17fc7267f3b32', '_id': 'someUNIQUEcode'}>

I did some searching around, and thought that it may be related to the fact that I'm testing on localhost (127.0.0.1 is not the same as localhost). I fixed my hosts file and added a 'dev.localhost' entry to make sure that all requests are from the same host.

Also, the developer pane of my browser (Chrome) shows exactly the same identifiers for the session cookies being sent to the server.

Also, setting session.modified = True does not help.

The only thing that changes between requests is

__utmb=122666782.18.10.1363877633

for the first request (the one that populates the items entry) vs. the second request

__utmb=122666782.19.10.1363877633

Thinking that it still may be an Ajax-related-thing. I tested the contents of the session variable after a straightforward page reload: the items entry is still gone from the session.

Any help would be greatly appreciated.

RJH
  • 321
  • 2
  • 8
  • May be this can help http://stackoverflow.com/questions/13760008/why-do-some-flask-session-values-disappear-from-the-session-after-closing-the-br – codegeek Mar 21 '13 at 18:31
  • Is only the `items` entry removed or is it anything that you set on the session? – Sean Vieira Mar 22 '13 at 05:18
  • @codegeek I had a look at that entry before posting my question, and assumed that it may be a cross-host cookie problem. I set my hostname to `localhost.dev` to avoid confusion between `localhost` and `127.0.0.1`. Also, I tried setting the cookie & server domain explicitly in the Flask configuration, but that didn't help either. – RJH Mar 22 '13 at 09:00
  • @SeanVieira good tip. I tried adding a `test` entry to the session, but it doesn't stick. However, other server-side code (used for OAuth stuff) adds entries as well, and these entries _do_ stick. Should I perhaps set something explicitly in the JQuery GET request? (NB: this code is being migrated from Django to Flask, and in Django everything worked just fine) – RJH Mar 22 '13 at 09:01
  • Additional info: the first response does send the `items` entry back to the client in the response cookie, but the second (jQuery GET) request does not send the `items` entry back to the server. – RJH Mar 22 '13 at 09:16
  • And... in the first request, the session id for the request cookie is different from the session id in the response cookie. Is that correct? – RJH Mar 22 '13 at 09:26

1 Answers1

11

It turns out that the cookie being sent back to the client (Chrome) exceeds the 4096 bytes limit for cookie size. Apparently Django uses server-side sessions by default, which made this problem only appear when I moved my code to Flask. Using server side sessions in Flask such as in flask-kvsession and others should fix the issue.

RJH
  • 321
  • 2
  • 8
  • 1
    ... if only I had stumbled upon [this earlier question](http://stackoverflow.com/questions/7100315/flask-session-member-not-persisting-across-requests?rq=1) before. – RJH Mar 22 '13 at 12:04
  • 1
    ... it's incredible we don't get any warning at run time. It seems the statement is just ignored. I am sure that signalling it somehow would have saved hours and hours of bug seeking activity. :) – user_1177868 Feb 15 '15 at 20:37