A session implementation for Flask using DynamoDB as a backing store and OWASP best practices for session management.
Project description
dynamodb-session-flask
An implementation of a Flask session using DynamoDB as backend storage. This project was built on dynamodb-session-web, but with support for the Flask framework.
In addition to the OWASP Session Management
best practices implemented in dynamodb-session-web
, this project has additional support for these best practices:
- Non-descript session ID name - Defaults to
id
for cookies, andx-id
for headers.- Side-Comment - isn't a non-descript suggestion for a name actually descriptive?
- Cookie setting defaults:
- Secure = True
- HttpOnly = True
- SameSite = Strict
- Domain and Path - Must set these yourself
- ID Exchange
- Accepted session ID mechanism (i.e. cookie vs header) is enforced. That is, user cannot submit session IDs through a header if cookie is expected.
Usage
Requires a DynamoDB table named app_session
(can be changed in settings).
Here's an example table creation statement:
aws dynamodb create-table \
--attribute-definitions \
AttributeName=id,AttributeType=S \
--key-schema "AttributeName=id,KeyType=HASH" \
--provisioned-throughput "ReadCapacityUnits=5,WriteCapacityUnits=5" \
--table-name app_session
Sessions are intended to operate just like the default Flask session implementation:
from flask import Flask, session
from dynamodb_session_flask import DynamoDbSession
flask_app = Flask(__name__)
flask_app.session_interface = DynamoDbSession()
@flask_app.route('/save')
def save():
session['val'] = 'My Value'
return 'Success', 200
@flask_app.route('/load')
def load():
saved_val = session['val']
return saved_val, 200
@flask_app.route('/end')
def end_session():
# This will remove the session from the database and remove the session ID from cookies/headers
session.clear()
return 'Success', 200
Configuration
There are additional configuration options, and are set like normal Flask configuration:
flask_app = Flask(__name__)
flask_app.config.update(
SESSION_DYNAMODB_IDLE_TIMEOUT=600
)
All configuration is optional, assuming the defaults are okay.
SESSION_DYNAMODB_ABSOLUTE_TIMEOUT
-
Absolute session timeout (in seconds).
Note: This setting works in conjunction with Flask's
PERMANENT_SESSION_LIFETIME
setting. The absolute timeout chosen will be whichever is less.Default:
43200
(12 hours) SESSION_DYNAMODB_ENDPOINT_URL
-
The DynamoDB URL.
Default:
None
(i.e. Boto3 logic) SESSION_DYNAMODB_HEADER_NAME
-
The name of the header to use for the session ID.
Default:
x-id
SESSION_DYNAMODB_IDLE_TIMEOUT
-
Idle session timeout (in seconds).
Default:
7200
(2 hours) SESSION_DYNAMODB_SID_BYTE_LENGTH
-
Session ID length in bytes.
This does not correlate to the character length of the ID, which will be either:
- 43 - How many characters a 32-byte value uses when Base64 encoded.
- 71 - The 43 characters from the previous bullet, plus a dot and finally a 27-character HMAC signature.
Default:
32
SESSION_DYNAMODB_SID_KEYS
-
For a slightly more secure session ID, the key can be signed using a configurable and rotatable key.
The signature is generated using
itsdangerous
and includes key rotation. If/When rotation is desired, the array is used in order from oldest to newest. Otherwise, one key is all that is needed.An empty array means no signature is generated.
Default:
[]
(no signature) SESSION_DYNAMODB_TABLE_NAME
-
The name of the DynamoDB table.
Default:
app_session
SESSION_DYNAMODB_OVERRIDE_COOKIE_NAME
-
Whether or not to override Flask's [SESSION_COOKIE_NAME](https://flask.palletsprojects.com/en/2.0.x/config/#SESSION_COOKIE_NAME)
configuration for the session ID. While somewhat trivial, OWASP's recommended value is
`id` and Flask's default is `session`. So to avoid using Flask's default or modifying it behind the scenes, this setting
helps separate this library's preferred default from Flask's.
Setting this to
True
will set the cookie name toid
. Otherwise, Flask's configuration will be used.Default:
True
SESSION_DYNAMODB_OVERRIDE_COOKIE_SECURE
-
Whether or not to override Flask's [`SESSION_COOKIE_SECURE`](https://flask.palletsprojects.com/en/2.0.x/config/#SESSION_COOKIE_SECURE)
for the cookie's Secure attribute. Flask defaults that attribute to `False`, whereas this should ideally be `True` to prevent
Man-in-the-Middle attacks.
Setting this to
True
will force the Secure attribute to also beTrue
. Otherwise, Flask's configuration will be used.Note: You'll want to set this to
False
in any environment where TLS is not used (e.g. local development).Default:
True
SESSION_DYNAMODB_USE_HEADER
-
Whether or not to communicate/expect the session ID via headers.
Default:
False
SESSION_COOKIE_SAMESITE
-
This is actually a Flask configuration, which defaults to `None`. However, if the value is `None`, then we set it to
`Strict` by default.
Default:
Strict
(indirectly changed)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for dynamodb-session-flask-0.5.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | fd96aa1616bda57ea6ce29b92dd07934e9964155937af5114bee13084727873e |
|
MD5 | e946423307b45a26a4871dfac7ad8705 |
|
BLAKE2b-256 | b7e61ac29d75b156d9b8b33b2d03108d13fec01699a3e4796d9ca17a13bb84cb |
Hashes for dynamodb_session_flask-0.5.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 427125aa2d9026979d48d868b37e96586854dc3ce04d6359c155af8f99a16501 |
|
MD5 | cc30814515e35c7b107d4ccd8506a114 |
|
BLAKE2b-256 | 1b76ba7c61be06c2ef2e9bcbb3f93f8e547ba939999ef28231e6a439ba018c3a |