How to retrieve the corresponding data set stored in session storage of each user's in python with flask?

Question

This is the imports going to be used in the following blocks of code.

from flask import Flask, session

The initial code

# with required imports
# with previous code implemented (such as app=Flask(__name__))

@app.route('/')
def index():
    session['name'] = 'username'
    session['pwd'] = 'password'
    return {
        'username': session['name'],
        'password': session['pwd']
    }

The output of the above code on the browser is

{
    "username": "username",
    "password": "password"
}

which means there are "name" attribute and "pwd" attribute in the current session storage.

But as far as I understand, the structure of session storage is like this

{
    "Dx_h18Ux": {
                    "name": "username",
                    "pwd": "password"
                }
    "aqD81K_9": {
                    "name": "anothername",
                    "pwd": "anotherpwd"
                }
    ... more users to go
}

The session storage actually contains multiple dictionaries of the same structure, but each one of them is stored under a unique hash key.

So, here's another block of code

# with required imports
# with previous code implemented

@app.route('/account')
def account():
    if session['name'] == 'username':
        return 'You do have access to this page'
    return 'You don't have access to this page'

With this code, I can access the account page only if I've accessed the index page before.

So, I think it works because I just created the "name" and "pwd" attributes, they were stored locally somewhere on this page (in the meantime, they were probably also stored in the session storage). I can access session['name'] after the index page because I can just fetch the data from the local storage.

Now, if I have app.config['PERMANENT_SESSION_LIFETIME] implemented, I close the tab and reopen it, I'm not supposed to have anything in local storage but the session still exists, so the data is only stored in session storage. If I'm correct, how can I fetch all data of a user from session storage with a given username?

e.g. I'd like to take out this single chunk

"Dx_h18Ux": {
                "name": "username",
                "pwd": "password"
            }

or in code version

@app.route('/get_session/<username>')
def get_session(username):
    ''' given a username as a locator, 
        fetch the whole dictionary that has a name attribute be username
    '''

    s = the chunk

    print(s['name'])
    # expected output: username

    print(s['pwd'])
    # expected output: password

I'm sorry if I'm I mess anything up.

Answer 1

When you use default sessions in Flask, all of the data is stored on the user's machine in a cookie. The server doesn't hold a copy of it, at all. You can implement server-side sessions, but it's not an out of the box experience with Flask.

When a user accesses your site, if they have a cookie that's associated with your site-- they'll send a copy of their cookie with each page request-- that cookie is cryptographically signed using your SECRET_KEY so while they can open the cookie on their machine, they can't change anything without invalidating it, and so it is only provided when they make a request. If they don't have one, they'll create one after the first request.

Essentially your server holds none of the cards until a user visits, and during a request cycle from a user-- the server only has access to that single users cookie, so the idea of scanning the 'session repository' for data doesn't really exist. The best you can do is look what's in the session that's been handed over by the user during the request (print(session)).

I was confused by this idea of sessions to start with, I came from a PHP background, and though my memory is fuzzy-- PHP's sessions defaulted to be server-side, with the client cookie just storing a reference/id.