If the database is wiped but the app secret is not changed, logged-in users before the wipe may be able to access new accounts made with the ID they used to have #21

New issue

Open

opened 2025-11-22 18:23:04 -06:00 by digimint · 0 comments

digimint commented

2025-11-22 18:23:04 -06:00

Owner

A user A with ID 'n' is logged in (i.e. has a session token)
The users database table is wiped
Users start re-creating accounts. Another user, B, ends up with user ID n

Then A can access B's account.

To fix this, i need to write a proper session handler for flask-login that uses database-backed session IDs that can actually be revoked.

Flask-login handles sessions with signed tokens, rather than by storing session data in the database. This has the drawback that, if a user is signed in, their token will still give access to their user ID even after a database wipe. This can be exploited under very specific circumstances. If: - A user `A` with ID 'n' is logged in (i.e. has a session token) - The `users` database table is wiped - Users start re-creating accounts. Another user, `B`, ends up with user ID `n` Then `A` can access `B`'s account. To fix this, i need to write a proper session handler for flask-login that uses database-backed session IDs that can actually be revoked.

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: digimint/taskflower#21

No description provided.

Rows
Columns