Some questions about Flask sessions

Question

Consider the following simple flask app:

from flask import Flask, request, session

application = Flask(__name__)
application.secret_key = "some_random_string"

@application.route("/enter_string")
def start_session():
    session["string"] = request.args["string"]

@application.route("/get_string")
def continue_session():
    if "string" not in session:
        return "Give me a string first!"

    return "You entered " + session["string"]

if __name__ == "__main__":
    application.debug = True
    application.run()

Here are my questions:

Once the "enter_string" endpoint has been visited and the user has assigned a string to session["string"], where is the string stored? Is it in the server's memory or the user's?
By default, the session expires when the browser exits. Is there a simple way to have some other event trigger the expiration of the session, such as closing the window but not necessarily the browser?
By default, will the session ever time out or is it kept until the browser exits no matter how long that takes?

score 9 · Accepted Answer · answered Oct 13 '15 at 22:13

9

Sessions in Flask can be implemented in different ways. The default implementation is based on secure cookies (cookies that have a cryptographic signature that prevents tampering). Here are the answers to your questions for this implementation:

The string will be stored in a client-side cookie. Each time the browser sends a request to the server, the cookie will be sent along with it.
The client can destroy the session by deleting the cookie using Javascript. (The default name for the session cookie is session). The server can delete the session by removing all the items from it.
In the default implementation the cookie has an expiration date set 31 days in the future. This can be changed with the PERMANENT_SESSION_LIFETIME configuration setting.

As I mentioned above, Flask supports third party session handlers, so the above answer may not apply to other implementations. In particular, there are handlers that implement server-side sessions (such as Flask-Session or Flask-KVSession) that store the session data in the server instead of the client.

answered Oct 13 '15 at 22:13

Miguel Grinberg

65,299
14
133
152

Im gonna show my greenness when it comes to sessions here, but I was under the impression with sessions it was typically a hash that was stored as your cookie locally that was then fetched from the server ... I was not aware that sessions store the entirety of the data locally ... – Joran Beasley Oct 13 '15 at 22:18
2

@JoranBeasley The implementation that you describe is widely used, but that is not what Flask does by default. If you use a server-side extension such as [Flask-Session](http://pythonhosted.org/Flask-Session/) then Flask stores the session hash in the cookie like you say. – Miguel Grinberg Oct 13 '15 at 22:45
1

This is great, thanks! If you don't mind a follow-up question (for the default session implementation): how are non-native Python objects stored in the client-side cookie? I.e. if I assign an instance of a class Foo to session["foo_instance"], how is the content of the cookie determined? – Paul Siegel Oct 14 '15 at 10:39
1

@PaulSiegel Very good question. The session data is serialized to JSON in the cookie, so whatever you write to the session must be JSON serializable. You can give Flask your own JSON encoder/decoder if you need to support non-standard objects. – Miguel Grinberg Oct 14 '15 at 14:18
1

Thanks for your help! I tested your answer by manually deleting the session cookie client-side, and sure enough the server loses the session. I was able to bind some reasonably complicated non-standard objects without any trouble, so I guess the default JSON functionality is pretty good. – Paul Siegel Oct 14 '15 at 18:00

Some questions about Flask sessions

1 Answers1

Linked