1

I am trying to make a primitive authorization by session, here is a sample code

import uvicorn
from fastapi import FastAPI, Request
from starlette.middleware.sessions import SessionMiddleware

app = FastAPI()
app.add_middleware(SessionMiddleware, secret_key="some-random-string", max_age=0)


@app.get("/a")
async def session_set(request: Request):
    request.session["my_var"] = "1234"
    return 'ok'


@app.get("/b")
async def session_info(request: Request):
    my_var = request.session.get("my_var", None)
    return my_var


if __name__ == '__main__':
    uvicorn.run('http-session:app', port=5000, reload=True)

The session is set, everything is fine, but the session_info endpoint returns an empty dictionary. Can you explain to me what am I doing wrong?

Chris
  • 18,724
  • 6
  • 46
  • 80
28 Lucky
  • 43
  • 1
  • 5
  • Wouldn't `max_age=0` mean that the cookie expires as soon as it's being set? Have you verified that the cookie is being sent along with the second request? – MatsLindh Sep 29 '22 at 13:16
  • I thought that maxage=0 means that the session will be infinite until the user logs out. It turns out you need to set maxage=None to achieve this Now I changed it, I'm already getting a response, but the session changes with each request to session_info. How to fix it? I need to work with one session and change it only in route session_set – 28 Lucky Sep 29 '22 at 13:19
  • @MatsLindh https://prnt.sc/cwsZS3h94YM- https://prnt.sc/rZGR2z_p0rzr – 28 Lucky Sep 29 '22 at 13:22

1 Answers1

3

As per Starlette documentation on SessionMiddleware:

  • ...

  • max_age - Session expiry time in seconds. Defaults to 2 weeks. If set to None then the cookie will last as long as the browser session.

  • same_site - SameSite flag prevents the browser from sending session cookie along with cross-site requests. Defaults to 'lax'.

  • https_only - Indicate that Secure flag should be set (can be used with HTTPS only). Defaults to False.

Hence, using max_age=0 simply results in the session cookie getting instantly expired (see this answer as well). You can either remove max_age when calling app.add_middleware() function, or adjust it as desired. Additionally, you may consider adjusting the same_site and https_only flags as well, in order to provide some protecttion to the session cookie (see this answer for more details).

Chris
  • 18,724
  • 6
  • 46
  • 80
  • I thought that maxage=0 means that the session will be infinite until the user logs out. It turns out you need to set maxage=None to achieve this Now I changed it, I'm already getting a response, but the session changes with each request to session_info. How to fix it? I need to work with one session and change it only in route session_set prnt.sc/cwsZS3h94YM- prnt.sc/rZGR2z_p0rzr – 28 Lucky Sep 29 '22 at 13:22
  • Thanks for the feedback! You need at least 15 reputation to cast a vote, but your feedback has been recorded. – 28 Lucky Sep 29 '22 at 15:08
  • Help me there please ! Its other problem https://stackoverflow.com/questions/73897479/fastapi-set-new-session-every-request – 28 Lucky Sep 29 '22 at 15:08
  • i mark your answer – 28 Lucky Sep 29 '22 at 15:29
  • https://prnt.sc/0r_vnTSOPVxM – 28 Lucky Sep 29 '22 at 15:35
  • Can you help me there too? https://stackoverflow.com/questions/73897479/fastapi-sets-new-session-for-every-request – 28 Lucky Sep 29 '22 at 15:35
  • When max_age is set to None , it throws error TypeError: %d format: a real number is required, not NoneType. – elyte5star Feb 01 '23 at 00:37
  • @elyte5star update your version of starlette/fastapi. I had the same issue. – Jimmy Hedström Mar 30 '23 at 07:50