CODEWITHSUNDEEP
pythonsecuritysessionflask
Blusky
Blusky

Reputation: 3784

Flask security issue with session and request repeater

I'm using Flask builtin session mecanism.

Here is my understanding of session mecanism (with flask) :

Imagine the following scenario :

The user connect to the application for the first time, the application send a Set-Cookie: sesssion=Flask.sign("try_number=3"), let's call this cookie COOKIE_A.

The user perform his first action, he send COOKIE_A, the application reply with Set-Cookie: sesssion=Flask.sign("try_number=2"), let's call this cookie COOKIE_B.

Now, if the user perform another action, but doesn't use COOKIE_B but COOKIE_A again (using curl for exemple), the cookie is still signed, and will be handled by the server, with try_number=3.

Therefore, only using the COOKIE_A for all operation, he will be able to "spoof" session mecanism, and make unlimited action with the same session.

Is there any builtin mecanism to prevent this ? (I'm not talking about snippet for using sqlite / redis, but builtin solution)

Upvotes: 1

Views: 1039

Answers (1)

davidism
davidism

Reputation: 127320

This is not a failure of the security of Flask's cookies, it's a failure of your counter design. There is no built in protection against replay attacks.

You can shorten the expiration time of the session cookie. This doesn't really solve the problem, it just makes the window smaller. It also makes the session inconvenient for regular use, which would annoy your normal users.

Ultimately, you'll have to store some information on the server and check against it. You could send a nonce with every request and keep a store of which ones have been sent back, ignoring ones that have been seen before. You could also just store all session information (except some identifying key) on the server side, so it can't be re-sent.

Upvotes: 3

Related Questions