Skip to content

Commit 2efb565

Browse files
davidismdavidism
committed
mention that session signature checks max age
add expiration to cookie security docs closes pallets#2422
1 parent ed1f604 commit 2efb565

File tree

2 files changed

+36
-4
lines changed

2 files changed

+36
-4
lines changed

docs/config.rst

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -167,9 +167,12 @@ The following configuration values are used internally by Flask:
167167

168168
.. py:data:: PERMANENT_SESSION_LIFETIME
169169
170-
If ``session.permanent`` is true, the cookie's max age will be set to this
171-
number of seconds. Can either be a :class:`datetime.timedelta` or an
172-
``int``.
170+
If ``session.permanent`` is true, the cookie's expiration will be set this
171+
number of seconds in the future. Can either be a
172+
:class:`datetime.timedelta` or an ``int``.
173+
174+
Flask's default cookie implementation validates that the cryptographic
175+
signature is not older than this value.
173176

174177
Default: ``timedelta(days=31)`` (``2678400`` seconds)
175178

docs/security.rst

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -206,7 +206,36 @@ They can be set on other cookies too.
206206

207207
response.set_cookie('username', 'flask', secure=True, httponly=True)
208208

209-
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies
209+
Specifying ``Expires`` or ``Max-Age`` options, will remove the cookie after
210+
the given time, or the current time plus the age, respectively. If neither
211+
option is set, the cookie will be removed when the browser is closed. ::
212+
213+
# cookie expires after 10 minutes
214+
response.set_cookie('snakes', '3', max_age=600)
215+
216+
For the session cookie, if ``session.permanent`` is set, then
217+
:data:`SESSION_COOKIE_LIFETIME` is used to set the expiration. Flask's default
218+
cookie implementation validates that the cryptographic signature is not older
219+
than this value. Lowering this value may help mitigate replay attacks, where
220+
intercepted cookies can be sent at a later time.
221+
222+
app.config.update(
223+
PERMANENT_SESSION_LIFETIME=600
224+
)
225+
226+
@app.route('/login', methods=['POST'])
227+
def login():
228+
...
229+
session.clear()
230+
session['user_id'] = user.id
231+
session.permanent = True
232+
...
233+
234+
Use :class:`TimedSerializer` to sign and validate other cookie values (or any
235+
values that need secure signatures).
236+
237+
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
238+
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
210239

211240
HTTP Public Key Pinning (HPKP)
212241
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0 commit comments

Comments
 (0)