Constant Flask Session IDs

Question

I've a Flask application, served with Nginx+WSGI (FastCGI & Gevent) and use standard Flask sessions. I do not use the session.permanent=True or any other extra option, but simply set SECRET_KEY in the default configuration.

I do not save any (key,value) pairs in the session, and only rely on the SID = session['_id'] entry to identify a returning user. I use the following code the read the SID:

@page.route ('/')
def main (page='home', template='index.html'):

    if not request.args.get ('silent', False):
        print >> sys.stderr, "Session ID: %r" % session['_id']

I made the following observations:

1. For same IP addresses, but different browsers I get different SIDs - that's expected;
2. For different IPs & same browser I again have different SIDs - expected;
3. For same IP address with same browser I get same SID - also expected;

Now, point (3) is interesting because even if a delete the corresponding cookie the SID remains constant! To some extent even that might be understandable, but actually I was expecting the SID to change between different cookies. But the only difference I see is that

session.new is True

for the first request immediately after the deletion of the cookie. Even that is very much expected; but given these facts I face the following problems:

1. Does this mean that for different users sitting behind the same IP (with the same browser configuration) my back-end will mistake them for the same user?

2. If point (1) is not the case, the current behavior of these "sticky" sessions is actually quite pleasant, since this avoids the situation where my users might loose there data just because they deleted the corresponding cookie.

   They can still save the day, by revisiting the site from the same network with the same browser. I like that, but only if point (1) is not the case.

3. I assume point (1) will actually bite me, would the conclusion actually be to save a token in the session and hence accept the fate that the user can blow himself up, by simply deleting his cookie?

4. Or is there a way to tell Flask to give different SIDs for each fresh cookie?

Actually, this question arouse since I used a load impact service, which was simulating different users (on the same IP) but my back-end kept seeing them as a single user since the corresponding SIDs were all the same.

The application is available for tests at http://webed.blackhan.ch (which upon release will move the https://notex.ch [a browser based text editor]). Thank you for your answers.

Answer 1

session['_id'] is not an actual session identifier. It's just a value used by Flask-Login to implement Session Protection.

Standard Flask sessions do not have an SID - as it would serve no purpose since the actual content of the session is stored in the cookie itself. Also see this.

Answer 2

it's now 2022, and Flask-Session does support session.sid to get a generated UUID that looks something like this:

print(session.sid)
>>> f9c792fa-70e0-46e3-b84a-3a11813468ce

From the docs (https://flasksession.readthedocs.io/en/latest/)

sid

Session id, internally we use uuid.uuid4() to generate one session id. You can access it with session.sid.