I'm setting up a Flask app with the flask-login extension. The flask-login documentation recommends setting up an alternative token generator that does not simply use the user ID and app secret to create the session token (which is the default method). But it doesn't provide any clear recommendations for how to do this. So, for User.get_auth_token(), I'm using the make_secure_token function with the user email and password as parameters (so I get a hash of these parameters + app secret). Next, I need to be able to get the user from the token with the token_loader callback. The default method for generating tokens in flask-login is to include both the raw user ID and a hash of the user ID + app secret. That makes finding the user from the token pretty simple - just grab the ID and look up the user. But should I be exposing the user ID in the session token at all? If I don't, should I store the session token in the database or somewhere else with the user ID to make a lookup possible? In short: does anyone know what the best practice is for creating a secure token & corresponding token_loader callback?
You can take a look at what I'm doing with Flask-Secutiy here: https://github.com/mattupstate/flask-security/blob/develop/flask_security/core.py#L94 I'm using itsdangerous <http://packages.python.org/itsdangerous/> for generating tokens, howerver. On Wed, Sep 26, 2012 at 9:38 AM, Ben Judson <ben@saharagray.com> wrote: > I'm setting up a Flask app with the flask-login extension. The flask-login > documentation recommends setting up an alternative token generator that > does not simply use the user ID and app secret to create the session token > (which is the default method). But it doesn't provide any clear > recommendations for how to do this. > > So, for User.get_auth_token(), I'm using the make_secure_token function > with the user email and password as parameters (so I get a hash of these > parameters + app secret). > > Next, I need to be able to get the user from the token with the > token_loader callback. The default method for generating tokens in > flask-login is to include both the raw user ID and a hash of the user ID + > app secret. That makes finding the user from the token pretty simple - just > grab the ID and look up the user. > > But should I be exposing the user ID in the session token at all? If I > don't, should I store the session token in the database or somewhere else > with the user ID to make a lookup possible? > > In short: does anyone know what the best practice is for creating a secure > token & corresponding token_loader callback? >
Ah, ok, I see what you are doing. So the user ID is passed in the token, but serialized along with the password hash. That makes sense. thanks, Ben. On Sep 26, 2012, at 9:15 AM, Matt Wright wrote: > You can take a look at what I'm doing with Flask-Secutiy here: > > https://github.com/mattupstate/flask-security/blob/develop/flask_security/core.py#L94 > > I'm using itsdangerous for generating tokens, howerver. > > On Wed, Sep 26, 2012 at 9:38 AM, Ben Judson <ben@saharagray.com> wrote: > I'm setting up a Flask app with the flask-login extension. The flask-login documentation recommends setting up an alternative token generator that does not simply use the user ID and app secret to create the session token (which is the default method). But it doesn't provide any clear recommendations for how to do this. > > So, for User.get_auth_token(), I'm using the make_secure_token function with the user email and password as parameters (so I get a hash of these parameters + app secret). > > Next, I need to be able to get the user from the token with the token_loader callback. The default method for generating tokens in flask-login is to include both the raw user ID and a hash of the user ID + app secret. That makes finding the user from the token pretty simple - just grab the ID and look up the user. > > But should I be exposing the user ID in the session token at all? If I don't, should I store the session token in the database or somewhere else with the user ID to make a lookup possible? > > In short: does anyone know what the best practice is for creating a secure token & corresponding token_loader callback? > >