Flask permanent session: where to define them?

patb picture patb · Dec 6, 2015 · Viewed 16.6k times · Source

By default, Flask uses volatile sessions, which means the session cookie is set to expire when browser closes. In order to use permanent sessions, which will use a cookie with a defined expiration date, one should set session.permanent = True, as is mentioned in this question., and the expiration date will be set based on config['PERMANENT_SESSION_LIFETIME'].

I am surprised that session lifetime is defined in config file, yet it is not possible to request the use of permanent sessions through configuration, such as a config['USE_PERMANENT_SESSION'] = True. But so be it.

My question is: if you do want permanent sessions, what is the best place to define them ? Is it in an @app.before_request function as proposed in mentioned question ? But that would mean setting it over again at each request ? It seems that once set, session.permanent remains true till end of session.

Permanent sessions are generally used after sign-in, so maybe the best place to request them is while processing login_user() ? So is the best policy to use volatile session cookies for all anonymous pages, and switch to permanent sessions by doing a session.permanent = True at sign-in ?

And one might want to set a different lifetime depending on whether it is the ordinary session cookie, or the remember_me cookie. What would be the best way to achieve this ?

Answer

mikey8989 picture mikey8989 · Jun 10, 2016

I'm surprised no on has answered this question. It seems like there should be some type of config variable SESSION_PERMANENT = True. But unfortunately there isn't. As you mentioned this is the best way to do it.

@app.before_request
def make_session_permanent():
    session.permanent = True