0

I wrote a small flask app for a shopping cart and user login. I used the flask-session extension and sqlite3 for the

The problem I faced. I logged in as user A, and I added some items to the cart. Then I logged out from the app and logged in as another user B from the same browser. I did not close the browser. Now when I checked the cart, I could see the items that user A had added to his cart.

This is not what I expected, essentially I should have got an empty cart.

Kindly let me know what mistake I made.

I am pasting the code below that I used.

from flask import Flask, render_template, redirect, url_for, request, session
from flask_session import Session

import sqlite3


app = Flask(__name__)
app.config['SECRET_KEY'] = "ASecretKey-1"
app.config['SESSION_PERMANENT'] = True
app.config['SESSION_TYPE'] = 'filesystem'


Session(app)


def connectDB():
    dbObj = sqlite3.connect('shoppingCart.db')
    dbObj.row_factory = sqlite3.Row
    cur = dbObj.cursor()
    return (dbObj, cur)

def disConnectDB(dbObj, cur):
    cur.close()
    dbObj.close()
    
    del cur, dbObj





@app.route('/')
@app.route('/home')
def home():
    if not session.get('userName'):
        return render_template('login.html', pageTitle='Login Page')

    dbObj, cur = connectDB()
    data = cur.execute('SELECT rowid, * FROM inventory').fetchall()
    disConnectDB(dbObj, cur)
    contextValues=dict(pageTitle='HomePage', data=data, userName=session.get('userName'))

    return render_template('home.html', **contextValues)



@app.get('/login')
@app.post('/login')
def login():
    userName = request.form.get('userName')
    password = request.form.get('password')

    if (not userName) or (not password):
        return "<h1 style='color:darkorange'>Form incomplete.</h1>"
    else:
        dbObj, cur = connectDB()
        data = cur.execute("SELECT * FROM users WHERE userName =? AND password=?", (userName,password,)).fetchone()
        disConnectDB(dbObj, cur)

        print("*"*25,data)

        if data:
            session['userName'] = userName
            if not session.get('cart'):
                session['cart'] = []
        else:
            return "<h1 style='color:darkorange'>Incorrect Credentials.</h1>"
        

    return redirect(url_for('home'))




@app.route('/logout')
def logout():
    session.pop('userName')
    return redirect(url_for('home'))



@app.route('/cart')
def cart():
    cart = session.get('cart')
    return render_template('cart.html',pageTitle='cart',cart=cart)


@app.route('/addtocart', methods=['GET','POST'])
def addtocart():
    if session.get('userName'):
        qty = int(request.form.get('qty'))
        itemID = request.form.get('itemID')
        dbObj, cur = connectDB()
        itemData = cur.execute("SELECT * FROM inventory WHERE rowid=?",(itemID,)).fetchone()
        

        itemName= itemData['Item']
        price = itemData['Price']
        available_quantity=itemData['Quantity']

        if available_quantity - qty >= 0:
            available_quantity = available_quantity-qty
            session['cart'].append([itemName,qty,price*qty])
            cur.execute("UPDATE inventory SET Quantity=? WHERE rowid=?",(available_quantity,itemID,))
            dbObj.commit()
            disConnectDB(dbObj, cur)
            return render_template('addtocart.html', pageTitle='Added to cart', itemName=itemName, quantity=qty)
        else:
            disConnectDB(dbObj, cur)
            return "<h1 style='color:darkorange'>Insufficent quantity! Item cannot be added!</h1><br><a href='/home'>Return to home page</a>"
    else:
        return "<h1 style='color:darkorange'>You are not authorized to visit this page!</h1><a href='/home'>Return to login page</a>"
Arun Gopinath
  • 23
  • 3

1 Answers1

0

When a user uses your /logout route, you just clear the userName key from the session, but the cart is still stored in the session. The session is tied to the browser, and it will retain whatever is left in it. When the same browser logs in later, the cart data is still in the session.

The simplest, safest way to fix that is to call session.clear() any time the session should be invalidated. That will remove all data from the session, giving you a clean slate. I would do that in the /logout route and at the beginning of any successful login attempt (before setting the userName and initial cart list). If you don't clear the session on login, then a logged in user could go to the login page without logging out, log in as a different user, and have the first user's cart still in the session. That is unlikely to happen, but it shouldn't be possible in any case.

Mark L
  • 93
  • 7
  • Thanks. I cannot wrap my head around this. Ideally each session should be linked with one user only even if the two different users use the same browser in the same machine and so one user should not be able to view another user's cart but when I use my code, one user can view the cart of other. This baffles me. – Arun Gopinath Jan 29 '23 at 13:08
  • Hi Mark, further what is the use of the session files that get stored in the flask app directory. Each session file should be unique and represent data of one user. So somehow is it possible that the session file is not getting linked to a specific user – Arun Gopinath Jan 29 '23 at 13:14
  • A session object is tied to a single browser. You want it to represent a single user, but that is not how it works by itself. Like I said, though, you can clear the session when a user logs out and when a user logs in, and then the data in the session object will only ever be storing a single user's information. – Mark L Jan 30 '23 at 17:06
  • Thanks Mark. If possible can you guide me to any article or book on this. Thanks again – Arun Gopinath Feb 08 '23 at 05:15
  • [What are sessions? How do they Work?](https://stackoverflow.com/q/3804209/7938656) has some decent explanations of sessions broadly. [This article](https://hazelcast.com/glossary/web-session/) gives another. A key point relevant to your confusion is that the cookie the browser sends only identifies the browser to the back-end. (The browser doesn't know what user is logged in.) The back-end (your code) then controls what information it stores for that specific browser, and you have to manage logins there. – Mark L Feb 08 '23 at 05:54
  • Thanks a lot Mark. I shall definitely read these articles. – Arun Gopinath Feb 15 '23 at 13:55