Skip to content

Instantly share code, notes, and snippets.

@andris-silis

andris-silis/Flask SSL-only Session Interface

Last active December 20, 2015 05:18
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andris-silis/6077426 to your computer and use it in GitHub Desktop.
Save andris-silis/6077426 to your computer and use it in GitHub Desktop.
Download ZIP
SSL-only session interface for Flask. Sets session cookie only on SSL connection to prevent session hijacking. Sessions will not work on unsecured connections. Need to implement additional secondary session for insecure connection if flashes or something is needed.
Raw
Flask SSL-only Session Interface
# Usage:
app = Flask()
app.session_interface = SecureCookieSSLOnlySessionInterface()
from flask.sessions import SecureCookieSessionInterface
from flask import request
class SecureCookieSSLOnlySessionInterface(SecureCookieSessionInterface):
"""The SSL cookie session interface. Sets cookie only on SSL connections.
"""
def request_is_secure(self, request):
criteria = [
request.is_secure,
request.headers.get('X-Forwarded-Proto', 'http') == 'https'
]
return any(criteria)
def save_session(self, app, session, response):
# Don't save session if request is not secure
if not self.request_is_secure(request):
return
return super(SecureCookieSSLOnlySessionInterface, self).save_session(app, session, response)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment