On Mon, 25 Jan 2021 13:41:57 +0000, Terry Coles wrote:
> Since we can't force anyone to clear their cookies, I guess this
> comes back to  my original query; how unsafe is this?  I can see
> Hamish's point, the session cookie is only going to be stored on
> the user's device, so if he keeps it safe, things should be OK.

To large extent, it is the user's prerogative whether they keep the 
session cookie indefinitely.

However, it is the web server's prerogative whether it will continue 
to accept the same session cookie indefinitely. A session cookie will 
only let you in for as long as the server thinks it corresponds to a 
valid session.

This means you can have a server-side time-out on the session, after 
which the user's session cookie is worthless and they have to get a 
new one by logging in anew.

You can also have a log-out option on the web page, which will 
instruct the server to terminate the session.

This is applicable to the Web in general. I am afraid I don't know how 
you would implement a time-out or log-out feature in Flask 
specifically.

It is possible there might already be a session time-out enabled by 
default in your server, but it could be many days long.

So the question is whether long-lasting sessions are a risk or not, 
and that depends on the application. In this case, I'd guess the 
chances and consequences of someone using the session cookie to gain 
unauthorised access will be relatively limited.

Patrick

-- 
  Next meeting: Online, Jitsi, Tuesday, 2021-02-02 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Reply via email to