SESSION_COOKIE_SECURE does not encrypt session

Question

I'm trying to put some security on my Flask web app. As a first step I'm going to make my session cookie secure by setting SESSION_COOKIE_SECURE to true.

But after I get my session cookie from "inspect element" I can decode session cookie easily and there is no difference whether I add SESSION_COOKIE_SECURE or not.

Here is my code:

from flask import Flask, request, app, render_template, session, send_file, redirect

MyApp = Flask(__name__)
MyApp.secret_key = "something"
application = MyApp  
if __name__ == "__main__":
    MyApp.debug = False
    MyApp.config.update(
        SESSION_COOKIE_SECURE=True,
        SESSION_COOKIE_HTTPONLY=True,
        SESSION_COOKIE_SAMESITE='Lax',
    )
    MyApp.config["SESSION_PERMANENT"] = True
    MyApp.run()

I also tried to add this attribute using the following syntax but this made no difference:

    MyApp.config['SESSION_COOKIE_SECURE'] = True

When I try to print SESSION_COOKIE_SECURE I get this error

Traceback (most recent call last):
  File "...", line ..., in <module>
    print(MyApp.session_cookie_secure)
 AttributeError: 'Flask' object has no attribute 'session_cookie_secure'

My Flask version is 1.0.2, and I'm on HTTPS.

Martijn Pieters · Accepted Answer · 2018-09-24T16:31:28.763

Setting SESSION_COOKIE_SECURE does not encrypt the cookie value, no. When set, this causes Flask to create cookies with the "Secure" flag set. This means that a browser can only return the cookie to the server over an encrypted connection, nothing more. The setting doesn't change anything about the cookie value itself.

Flask produces cookies that are cryptographically signed, by default. That means that the cookie contents can be decoded but not altered, because a third party without access to the server secret can't create a valid signature for the cookie.

You generally don't need to encrypt your session cookie if you a) use HTTPS (which encrypts the data from outsiders) and b) protect your web app from XSS attacks. Without an XSS attack vector, attackers can't get access to your cookie contents at all anyway.

You certainly don't need to do so here, as SESSION_COOKIE_HTTPONLY means that the browser will never expose the cookie to JavaScript, and only someone with full access to the browser can see the cookie value.

Flask doesn't have a 'encrypt cookie' setting, because it is not deemed necessary when you can secure the cookie in other ways. You should not store information in a session cookie so sensitive that it should be protected from the end-user with access to the browser storage; keep such data on the server and only store a unique identifier in the session to retrieve that secret data later on.

If for some reason you can't keep such secrets out of the session cookie and are unwilling to accept that the end-user can read this data, then you'll have to encrypt the cookie yourself or use an alternative session provider for Flask, such as EncryptedSession.

As for the attribute error: only a few configuration settings are accessible as attributes on the Flask object. To print arbitrary configuration settings, use the app.config object:

print(MyApp.config['SESSION_COOKIE_SECURE'])

@K327: sure, but why is there data in the cookie the user must not see? — Martijn Pieters, Sep 24 '18 at 16:31
i have put user role in session but as you said user cant change it . i get my answer thanks man — K327, Sep 24 '18 at 16:42

SESSION_COOKIE_SECURE does not encrypt session

1 Answers1