If a user deletes his cookies for a Flask site, can the server still associate him with his session?

Question

If a user deletes his cookies for a Flask site, does that effectively end that session? If not, is there any possible way that Flask could determine who the user is without the user signing in, so that the server can connect that user with his previous session?

Answer 1

The answer seems to be "Yes, Flask can sometimes 'figure out who you are' (re-associate you with your previous session) even if you delete your cookie".

This is because your Flask-Login session ID is generated from a deterministic algorithm based solely on your IP address and user_agent string.

I learned all this from reading the SO question linked below and its answers:

Constant Flask Session IDs

I made the following observations:

1. For same IP addresses, but different browsers I get different SIDs - that's expected;
2. For different IPs & same browser I again have different SIDs - expected;
3. For same IP address with same browser I get same SID - also expected;

Now, point (3) is interesting because even if I delete the corresponding cookie the SID remains constant! To some extent even that might be understandable, but actually I was expecting the SID to change between different cookies. But the only difference I see is that

session.new is True

for the first request immediately after the deletion of the cookie.

An answer to the same question:

It looks like you're using the Flask-Login extension. Here's the code that generates the id token:

def _create_identifier():
    base = unicode("%s|%s" % (request.remote_addr,
                              request.headers.get("User-Agent")), 'utf8', errors='replace')
    hsh = md5()
    hsh.update(base.encode("utf8"))
    return hsh.digest()

It's basically just md5(ip_address + user_agent).

Answer 2

Session is more like unique id posted to you browser and ... So most of the time, when you change session(not session id), you just modify backend part