Flask-KVSession is an MIT-licensed server-side session replacement for Flask‘s signed client-based session management. Instead of storing data on the client, only a securely generated ID is stored on the client, while the actual session data resides on the server.
This has two major advantages:
- Clients no longer see the session information
- It is possible to securely destroy sessions to protect against replay attacks.
Other things are possible with server side session that are impossible with clients side sessions, like inspecting and manipulating data in absence of the client.
Integration with Flask is seamless, once the extension is loaded for a Flask application, it transparently replaces Flask’s own Session management. Any application working with sessions should work the same with Flask-KVSession (if it does not, file a bug!).
Documentation and development¶
import redis from flask import Flask from flask_kvsession import KVSessionExtension from simplekv.memory.redisstore import RedisStore store = RedisStore(redis.StrictRedis()) app = Flask(__name__) KVSessionExtension(store, app)
Sessions will expire, causing them to be invalid. To be automatically removed
from the backend as well, that backend must support the
TimeToLiveMixin interface; example backends that support
this are are
Occasionally, it is handy to namespace session keys (for example, when sharing
a Redis-database). This can be achieved using
store = ... # setup store normally prefixed_store = PrefixDecorator('sessions_', store) # ... KVSessionExtension(prefixed_store, app)
The decorator will transparently prefix
sessions_ to every session key
stored and strip it upon retrieval.
In addition to
PERMANENT_SESSION_LIFETIME (see Flask
documentation), the following configuration settings are available:
||The size of the random integer to be used when generating random session ids. Defaults to 64.|
||Random source to use, defaults to an instance of
||Whether or not to set the time-to-live of the
session on the backend, if supported. Default
flask_kvsession is a drop-in replacement module for Flask sessions that uses a
simplekv.KeyValueStore as a backend for server-side sessions.
Activates Flask-KVSession for an application.
- session_kvstore – An object supporting the simplekv.KeyValueStore interface that session data will be store in.
- app – The app to activate. If not None, this is essentially the
same as calling
Removes all expired session from the store.
Periodically, this function can be called to remove sessions from the backend store that have expired, as they are not removed automatically unless the backend supports time-to-live and has been configured appropriately (see
This function retrieves all session keys, checks they are older than
PERMANENT_SESSION_LIFETIMEand if so, removes them.
Note that no distinction is made between non-permanent and permanent sessions.
Parameters: app – The app whose sessions should be cleaned up. If
Helper class for parsing session ids.
Internally, Flask-KVSession stores session ids that are serialized as
KEYis a random number (the sessions “true” id) and
CREATEDa UNIX-timestamp of when the session was created.
Report if the session key has expired.
Serializes to the standard form of
- TTL support automatically detected
- Various bugfixes
- Official Python3 support (now depends on
simplekv>= 0.9 and
- Major cleanup of documentation.
- Includes support for sessions with limited time-to-live on the backend.
No context is stored in the KVSessionExtension anymore. Instead, all data (including a refence to the actual store) is attached to the application.
This means that a single KVSessionExtension can be used with multiple apps, if so desired, each with its own store.
Now requires Flask version >= 0.8, obsoleting some legacy version workarounds.
- Hotfix: Calling session.regenerate() on the first request should no longer cause an exception.
- Hotfix: Create empty KVSessions instead of NullSessions when a session is invalid or missing.
- Use pickle insteaed of json as the serialization method.
- First occurence of changelog in docs.
- Complete rewrite.