Session Management problem in flask application

[Aakash Rathor]

Hello everyone,

In my flask application there is some issue related to login system  and issue as below         1)in  flask app there are multiple users(roles) like admin ,indentor.....etc. and the problem is that if any user login on same browser where already any user logged in then previous user automatically logout and recent user logging successfully

2)if browser are different and users also different means only one user login through one browser then there is no problem it works properly

3)if browser is same and user also same then same name user login successfully but previous same user session id change

4)in  any browser with same web page who running  on local server  all tabs session id same inside the cookies it means on same browser all tabs session id same for same web application

i current situation i face the issue related to session management ,and issue is that only one user login at same time with same browser

so please read all above the conditions very carefully and then provide the solution ,i also attach the code in below and session management working flow screenshot

# Flask-Login Configuration

login_manager = LoginManager()

login_manager.init_app(app)

login_manager.login_view = 'login'

# User model

class User(UserMixin):

def __init__(self,user_id, username, password):

self.id=user_id

self.username = username

self.password = password

def get_id(self):

return str(self.id) # Convert to string if necessary

@login_manager.user_loader

def load_user(user_id):

user_data =collection_user.find_one({'user_type': user_id})

if user_data:

return User(user_id=user_data['user_type'],username=user_data['user_type'], password=user_data['password'])

return None

#LOGIN MODULE

# Route for user login

@app.route('/', methods=['GET', 'POST'])

def login():

if request.method == 'POST':

print('inside the login')

user_type = request.form.get('user_type')

email = request.form.get('email')

password = request.form.get('password')

print('value of user type->>>', user_type)

print('value of email->>>', email)

print('value of password->>>', password)

user=collection_user.find_one({'user_type':user_type,'email':email,'password':password})

print('value of user is->>>',user)

if user:

user_obj=load_user(user_type)

# Generate a unique session ID for the user

session_key = f"user_{user['_id']}_{uuid4()}"

# Store user-specific data in the session using the generated session key

session['user_type'] = user_type

session['user_email'] = email

session['session_key'] = session_key

print('value of user_obj is-->>',user_obj)

login_user(user_obj)

return redirect(url_for('dashboard'))

return render_template('login.html', error='Invalid credentials,plz enter valid id or password')

print('direct out of the if condition')

return render_template('login.html', error=None)

@app.route('/dashboard')

@login_required

def dashboard():

#Retrieve the session key from the session

session_key = session.get('session_key')

if session_key:

# Retrieve the session key from the cookie

user_type = session.get('user_type')

print('value user_type is-->>',user_type)

if user_type == 'admin':

print('inside the admin user')

return redirect(url_for('home_page'))

elif user_type == 'indenter':

print('inside the indenter user')

return redirect(url_for('indenter_dashboard'))

elif user_type == 'purchaser':

print('inside the purchaser user')

return redirect(url_for('purchaser_dashboard'))

elif user_type == 'store':

print('inside the store user')

return redirect(url_for('store_dashboard'))

[Thomas Broyer]

On Wednesday, April 3, 2024 at 1:16:58 PM UTC+2 aakashrathor....@gmail.com wrote:

Hello everyone,

In my flask application there is some issue related to login system  and issue as below         1)in  flask app there are multiple users(roles) like admin ,indentor.....etc. and the problem is that if any user login on same browser where already any user logged in then previous user automatically logout and recent user logging successfully

2)if browser are different and users also different means only one user login through one browser then there is no problem it works properly

3)if browser is same and user also same then same name user login successfully but previous same user session id change

4)in  any browser with same web page who running  on local server  all tabs session id same inside the cookies it means on same browser all tabs session id same for same web application

i current situation i face the issue related to session management ,and issue is that only one user login at same time with same browser

This is just how the web works.

If you don't want this, then you can't use cookies to maintain your session (e.g. generate some access token on the server that you send back to the client and have it send it in a header with each request to the server; the client could possibly save it in sessionStorage to store the token so it survives a page refresh while segregating it to the current tab)

But note that I believe most users expect that middle-clicking a link (or right-click → open in new tab) will preserve their session, and because every web app out there shares the session across all tabs they won't even try to login with a different user in a different tab (they'll expect that their session is "detected" and reused, without seeing a login screen)

Also, BTW, this is not GWT-related (in that, it applies whether you use GWT or not).

[Aakash Rathor]

thanks @Thoms  Broyer

can you elaborate more that can help me and clear what you wants to say

[Thomas Broyer]

Not sure what more I can say.

• "Server-side sessions" use cookies, which are global to the whole browser (not per-tab), so if you want per-tab sessions you have to find another approach than "server-side sessions"
• Per-tab sessions are not what most sites/apps do, so users will likely not expect it (and most users login with a single account at a time anyway, so it's mostly a non-issue). In other words, you want to do something that people are not accustomed to. More clearly: don't do it (unless you have very, very, very good reasons to)
• What you should do though (that you probably don't do nowadays, which lead you to discover that behavior of your app) is to somehow check, when your app loads, whether there's already a session or not (generally, make a request to the server to get the user's information –username, etc.– and handle errors so you display the login form when unauthenticated). Opening your app in multiple tabs (after authenticating in one tab) shouldn't show you the login form.

[Aakash Rathor]

ok, thanks again @Thomas Broyer for provide me the information on session and cookies

and also read this below conditions and let me this working is wrong or right ......

1)in current situation in my flask app multiple user login possible but browsers also have different  means one user login on one browser and if users are same on same browser then it works properly but if user is same and again same user login then generate new session id inside the cookies and this session id also replace in  all tabs of the same browser where this specific user already login

2)i wants to test my flask app in same browser but i wants to different user login and if  new user login then previous user don't logout automatically  

so read all above conditions or doubts and then provide me suggestions

[Thomas Broyer]

On Thursday, April 4, 2024 at 2:21:36 PM UTC+2 aakashrathor....@gmail.com wrote:

ok, thanks again @Thomas Broyer for provide me the information on session and cookies

and also read this below conditions and let me this working is wrong or right ......

1)in current situation in my flask app multiple user login possible but browsers also have different  means one user login on one browser and if users are same on same browser then it works properly but if user is same and again same user login then generate new session id inside the cookies and this session id also replace in  all tabs of the same browser where this specific user already login

That's right, which is why you'd want your app to somehow detect when it loads that a session already exists and can just be reused, rather than showing the login screen and forcing the creation of a new session, replacing the previous one and possibly impacting other tabs.

2)i wants to test my flask app in same browser but i wants to different user login and if  new user login then previous user don't logout automatically  

Use incognito/private mode. In Firefox you can use "containers" to, well, containerize, tabs with different sets of cookies: https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

[Jens]

2)i wants to test my flask app in same browser but i wants to different user login and if  new user login then previous user don't logout automatically  

If you use Chrome or a Chrome based browser then you could also create two chrome profiles. Profiles are fully independent of each other and you can open two windows, one with profile A active and the other with profile B active. I regularly use that with the ARC browser (a Chrome based browser) to fully separate work and personal stuff within the same browser.

How do you want your app to work?

If you really want different users in different tabs within the same browser then you can only use session-id cookies if each logged in user has its own URL and the session-id cookie is limited to that URL. I think Google does this because Google Groups allows you to login with multiple accounts and then switch between them. But if you activate that feature then the URL is like groups.google.com/u/0/.. for the first user and groups.google.com/u/1/.. for the second user. That way they can have a different set of cookies for each URL path (= user). If you don't want that then you cannot use cookies and you must store the session-id in memory in your browser app and send it via HTTP Header manually. However doing so means that you are logged out as soon as you close the tab because the session-id is lost then.

-- J. 

[Aakash Rathor]

thank you @Thomas Broyer for providing very important and different approach

i will try and then what was the working of app ,i will inform you

[Aakash Rathor]

Thank you very much @Jens for more useful information

[Aakash Rathor]

thank you for providing the information for managing the session or troubleshoot the problem through  private window or containers of Firefox @Thomas Broyer @Jens

 

i implement the methods according to you but again occur the problem as below

1)if i login inside the incognito window or private window i  see in all tabs or all windows session id will be same and if login user A then login user B on same browser then user A is logout automatically and if user C login then user B automatically logout so private window methodology not work correctly

2)inside the Firefox containers for multi user  ,occur the same problem means if user A login and then user B login then user A  logout automatically and if i use the different modules of the Firefox containers means if user A login inside the work window and then ,user B login inside the shopping window and user C login inside  banking window then it work correctly but if all users login on  any one window then previous users logout automatically and i checked all tabs session id is same so through this approach again i not achieved my desired output

i provide the code of my flask app so please read and then provide the suggestion 

i want   to login all users on same browser  on same system at same time but previous users not logout although user it self logout

code of flask app is below

# Flask-Login Configuration

login_manager = LoginManager()

login_manager.init_app(app)

login_manager.login_view = 'login'

# User model

class User(UserMixin):

def __init__(self,user_id, username, password ,user_type):

self.id=user_id

self.username = username

self.password = password

self.user_type = user_type

def get_id(self):

return str(self.id) # Convert to string if necessary

@login_manager.user_loader

def load_user(user_id):

user_data =collection_user.find_one({'user_type': user_id})

if user_data:

return User(user_id=user_data['user_type'],username=user_data['user_type'], password=user_data['password'],user_type=user_data['user_type'])

return None

#LOGIN MODULE

# Route for user login

@app.route('/', methods=['GET', 'POST'])

def login():

if request.method == 'POST':

print('inside the login')

user_type = request.form.get('user_type')

email = request.form.get('email')

password = request.form.get('password')

print('value of user type->>>', user_type)

print('value of email->>>', email)

print('value of password->>>', password)

user=collection_user.find_one({'user_type':user_type,'email':email,'password':password})

print('value of user is->>>',user)

if user:

user_obj=load_user(user_type)

print('value of user_obj is-->>',user_obj)

login_user(user_obj)

return redirect(url_for('dashboard'))

return render_template('login.html', error='Invalid credentials,plz enter valid id or password')

print('direct out of the if condition')

return render_template('login.html', error=None)

#Dashboard Route

@app.route('/dashboard')

@login_required

def dashboard():

if current_user.is_authenticated:

user_type=current_user.user_type

print('value user_type is-->>',user_type)

if user_type:

print('inside the if condition of user_type')

if user_type == 'admin':

print('inside the admin user')

return redirect(url_for('home_page'))

elif user_type == 'indenter':

print('inside the indenter user')

return redirect(url_for('indenter_dashboard'))

elif user_type == 'purchaser':

print('inside the purchaser user')

return redirect(url_for('purchaser_dashboard'))

elif user_type == 'store':

print('inside the store user')

return redirect(url_for('store_dashboard'))

#Handle if user not found

return redirect(url_for('login'))

# Logout Session

@app.route("/logout")

@login_required

def logout():

#Clear session data for current user

session.clear()

session.pop('user_type',None)

logout_user()

response = make_response(redirect(url_for("login")))

# response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'

# response.headers['Pragma'] = 'no-cache'

# response.headers['Expires'] = '-1'

return response