On Mon, 25 Jan 2021 13:41:57 +0000, Terry Coles wrote: > Since we can't force anyone to clear their cookies, I guess this > comes back to my original query; how unsafe is this? I can see > Hamish's point, the session cookie is only going to be stored on > the user's device, so if he keeps it safe, things should be OK.
To large extent, it is the user's prerogative whether they keep the session cookie indefinitely. However, it is the web server's prerogative whether it will continue to accept the same session cookie indefinitely. A session cookie will only let you in for as long as the server thinks it corresponds to a valid session. This means you can have a server-side time-out on the session, after which the user's session cookie is worthless and they have to get a new one by logging in anew. You can also have a log-out option on the web page, which will instruct the server to terminate the session. This is applicable to the Web in general. I am afraid I don't know how you would implement a time-out or log-out feature in Flask specifically. It is possible there might already be a session time-out enabled by default in your server, but it could be many days long. So the question is whether long-lasting sessions are a risk or not, and that depends on the application. In this case, I'd guess the chances and consequences of someone using the session cookie to gain unauthorised access will be relatively limited. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2021-02-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk