Prevent _load_user_from_remember_cookie by setting REMEMBER_COOKIE_NAME to None #841
Schallerwf
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Problem
I have my own remember token implementation and need to disable the flask-login remember functionality. Even if I never use remember=true, an attacker can still pass a cookie and possibly trigger _load_user_from_remember_cookie. (For example, an internal actor with knowledge of the app secret can bypass our more advanced remember token design by generating/setting their own cookie).
Proposal
I propose a small change to this line.
From
cookie_name in request.cookies and session.get("_remember") != "clear"To
cookie_name is not None and cookie_name in request.cookies and session.get("_remember") != "clear"I am currently running this patch in my application.
Without the patch, setting REMEMBER_COOKIE_NAME to None seems to work as a mitigation. I have not been able to generate a request to my app that sets a cookie with key None or found an example of this online, however given None is a valid key in Python I was hoping to eliminate this risk explicitly to reduce any future potential issues.
I've read the documentation's suggestion of using alternative ids which can be changed to void previously issued remember tokens, but that does not close the gap fully either.
Curious to hear other thoughts. Thank you.
Beta Was this translation helpful? Give feedback.
All reactions