Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New itsdangerous version invalidates cookie based sessions #2952

Closed
benvand opened this issue Oct 19, 2018 · 5 comments
Closed

New itsdangerous version invalidates cookie based sessions #2952

benvand opened this issue Oct 19, 2018 · 5 comments

Comments

@benvand
Copy link

benvand commented Oct 19, 2018

Expected Behaviour

User sessions should remain valid across versions.

Actual Behaviour

itsdangerous v1.0 was release about 16 hours ago.
Users are signed out when an build of flask that has depended on the new itsdangerous v1.0 is released. This is because the new version has a breaking change that changes the session hashing algorithm.

https://github.com/pallets/itsdangerous/blob/master/CHANGES.rst
https://github.com/pallets/flask/blob/master/flask/sessions.py#L6
https://github.com/pallets/flask/blob/master/setup.py#L39
https://pypi.org/project/itsdangerous/#history

Environment

  • Python version: 3.6
  • Flask version: 1+
benvand added a commit to benvand/flask that referenced this issue Oct 19, 2018
@benvand
Pin itsdangerous to below v1
0561220 
itsdangerous v1 has a breaking change that changes the session hashing algorithm.

Users would be signed out when an build of flask that has depended on the new itsdangerous v1.0 is released.

pallets#2952
@benvand benvand mentioned this issue Oct 19, 2018
Closed
@davidism
Copy link
Member

davidism commented Oct 19, 2018
edited
Loading

That's an unfortunate case, I'm sorry it happened to you. Be sure to pin dependencies and check changelogs before upgrading libraries for projects you deploy to production. In this case, a major version bump is allowed to break things, and we're not going to prevent its use for everyone who's installing Flask going forward.

If you want to provide a smoother transition, you can implement a SessionInterface that tries loading with the previous defaults first, then with the current defaults, upgrading as necessary when writing the session back.

@benvand
Copy link
Author

benvand commented Oct 19, 2018

Thanks. We're fine. We found this on our preview/dev environment after releasing an app with deps pinned to what the libraries (ie Flask) suggested.
But the flask app that we released could no longer share sessions with our other apps.

At the moment any of Flasks dependencies could release a completely incompatible version and break new installs of Flask.

Pinning to sub major versions would help mitigate against this.

@ThiefMaster
Copy link
Member

All Flask dependencies are Pallets projects, so the risk is pretty low.

@davidism davidism mentioned this issue Oct 23, 2018
Closed
@bkabrda bkabrda mentioned this issue Oct 26, 2018
Merged
@davidism
Copy link
Member

We're figuring out how to roll back the digest method change: pallets/itsdangerous#111, pallets/itsdangerous#112

@davidism
Copy link
Member

itsdangerous 1.1.0 has been released. It reverts to SHA-1, and adds a fallback mechanism to safely upgrade signing parameters in the future. It also reverts the package name to all lowercase "itsdangerous".

You can read a longer explanation here: https://palletsprojects.com/blog/itsdangerous-1-1-0-released/

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ThiefMaster @davidism @benvand