Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
dynamodb-session-flask
Advanced tools
A session implementation for Flask using DynamoDB as a backing store and OWASP best practices for session management.
An implementation of a Flask session using DynamoDB as backend storage. This project was built on dynamodb-session-web, but with support for the Flask framework.
I tried and acquired an appreciation for some other DynamoDB backend implementations for Flask sessions. However, I needed a few extra things:
In addition to the OWASP Session Management
best practices implemented in dynamodb-session-web
,
this project has additional support for these best practices:
id
for cookies, and x-id
for headers.
Requires a DynamoDB table named app_session
(can be changed in settings).
Here's an example table creation statement:
aws dynamodb create-table \
--attribute-definitions \
AttributeName=id,AttributeType=S \
--key-schema "AttributeName=id,KeyType=HASH" \
--provisioned-throughput "ReadCapacityUnits=5,WriteCapacityUnits=5" \
--table-name app_session
Sessions are intended to operate just like the default Flask session implementation:
from flask import Flask, session
from dynamodb_session_flask import DynamoDbSession
flask_app = Flask(__name__)
flask_app.session_interface = DynamoDbSession()
@flask_app.route('/save')
def save():
session['val'] = 'My Value'
return 'Success', 200
@flask_app.route('/load')
def load():
saved_val = session['val']
return saved_val, 200
@flask_app.route('/end')
def end_session():
# This will remove the session from the database and remove the session ID from cookies/headers
session.clear()
return 'Success', 200
If using the extra methods that are provided ([see below](#Session Instance Methods)), you may find it useful to have an extra module-level variable. It helps with IDE code completion.
from typing import cast
from flask import Flask, session as flask_session
from dynamodb_session_flask import DynamoDbSessionInstance
dynamodb_session = cast(DynamoDbSessionInstance, flask_session)
def abandon_session():
dynamodb_session.abandon()
Works within the Flask session interface:
Additional behaviors:
While this session implementation is backwards compatible with the Flask session functionality/interface, there are some additional methods available that can be used if needed.
abandon()
create()
save()
This method is not usually needed since Flask will save the session at the end of a request. However, it is provided for cases where the session must be saved earlier.
There are additional configuration options, and are set like normal Flask configuration:
flask_app = Flask(__name__)
flask_app.config.update(
SESSION_DYNAMODB_IDLE_TIMEOUT=600
)
All configuration is optional, assuming the defaults are okay.
SESSION_DYNAMODB_ABSOLUTE_TIMEOUT
Note: This setting works in conjunction with Flask's PERMANENT_SESSION_LIFETIME
setting. The absolute timeout chosen will be whichever is less.
Default: 43200
(12 hours)
SESSION_DYNAMODB_ENDPOINT_URL
Default: None
(i.e. Boto3 logic)
SESSION_DYNAMODB_HEADER_NAME
Default: x-id
SESSION_DYNAMODB_IDLE_TIMEOUT
Default: 7200
(2 hours)
SESSION_DYNAMODB_SID_BYTE_LENGTH
This does not correlate to the character length of the ID, which will be either:
Default: 32
SESSION_DYNAMODB_SID_KEYS
The signature is generated using itsdangerous
and includes key rotation. If/When rotation is desired, the array is used in order from oldest to newest. Otherwise, one key is all that is needed.
An empty array means no signature is generated.
Default: []
(no signature)
SESSION_DYNAMODB_TABLE_NAME
Default: app_session
SESSION_DYNAMODB_OVERRIDE_COOKIE_NAME
Setting this to True
will set the cookie name to id
. Otherwise, Flask's configuration will be used.
Default: True
SESSION_DYNAMODB_OVERRIDE_COOKIE_SECURE
Setting this to True
will force the Secure attribute to also be True
. Otherwise, Flask's configuration will be used.
Note: You'll want to set this to False
in any environment where TLS is not used (e.g. local development).
Default: True
SESSION_DYNAMODB_USE_HEADER
Default: False
SESSION_COOKIE_SAMESITE
Default: Strict
(indirectly changed)
Flask has a pattern for accessing the session when running tests.
This mechanism still uses the backend session_interface
set for the app (i.e. it will still use DynamoDB).
To help reduce dependencies when simply trying to run unit tests that need a value set in the session, there's a
separate session_interface
that can be used.
Below is a working example, copied from this project's tests. Improvements could be made depending on test expectations.
import pytest
from dynamodb_session_flask.testing import TestSession
from flask import Flask, session
@pytest.fixture
def app():
flask_app = Flask(__name__)
@flask_app.route('/load')
def load():
return {
'actual_value': session.get('val', None),
}
yield flask_app
@pytest.fixture()
def test_client(app):
app.session_interface = TestSession()
return app.test_client()
def test_able_to_use_test_session_transaction(test_client):
expected_value = 'fake_value'
with test_client:
with test_client.session_transaction() as test_session:
test_session['val'] = expected_value
response = test_client.get('/load')
assert response.json['actual_value'] == expected_value
FAQs
A session implementation for Flask using DynamoDB as a backing store and OWASP best practices for session management.
We found that dynamodb-session-flask demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.