For unauthenticated sessions only store them in redis for 5m (#1345)

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
2025-09-29 01:46:49 +08:00 · 2022-10-13 15:55:08 +02:00 · 2022-10-13 15:55:08 +02:00 · 72277211bb
commit 72277211bb
parent d5ca316e41
1 changed files with 6 additions and 1 deletions
--- a/app/session.py
+++ b/app/session.py
@ -88,10 +88,15 @@ class RedisSessionStore(SessionInterface):
        secure = self.get_cookie_secure(app)
        expires = self.get_expiration_time(app, session)
        val = pickle.dumps(dict(session))
+        ttl = int(app.permanent_session_lifetime.total_seconds())
+        # Only 5 minutes for non-authenticated sessions.
+        # We need to keep the non-authenticated ones because the csrf token is stored in the session.
+        if "_user_id" not in session:
+            ttl = 300
        self._redis_w.setex(
            name=self._get_key(session.session_id),
            value=val,
-            time=int(app.permanent_session_lifetime.total_seconds()),
+            time=ttl,
        )
        signed_session_id = self._get_signer(app).sign(
            itsdangerous.want_bytes(session.session_id)