Skip to content

Commit

Permalink
prevent session hijacking by generate session already exists
Browse files Browse the repository at this point in the history
  • Loading branch information
idocyabra committed Apr 25, 2024
1 parent bc2fe67 commit dc9eafb
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/flask_session/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,10 @@ def __init__(

def _generate_sid(self, session_id_length: int) -> str:
"""Generate a random session id."""
return secrets.token_urlsafe(session_id_length)
new_sid = secrets.token_urlsafe(session_id_length)
if self._retrieve_session_data(new_sid):
raise RuntimeError("Session ID already exists in the database.")
return new_sid

# TODO: Remove in 1.0.0
def _get_signer(self, app: Flask) -> Signer:
Expand Down

0 comments on commit dc9eafb

Please sign in to comment.