From dc9eafba32bb8902a3da62d07c6b875defaa5027 Mon Sep 17 00:00:00 2001
From: Ido Shraga <ido@cyabra.com>
Date: Thu, 25 Apr 2024 12:26:59 +0300
Subject: [PATCH] prevent session hijacking by generate session already exists

---
 src/flask_session/base.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/flask_session/base.py b/src/flask_session/base.py
index 2399b1a3..2958a636 100644
--- a/src/flask_session/base.py
+++ b/src/flask_session/base.py
@@ -194,7 +194,10 @@ def __init__(
 
     def _generate_sid(self, session_id_length: int) -> str:
         """Generate a random session id."""
-        return secrets.token_urlsafe(session_id_length)
+        new_sid = secrets.token_urlsafe(session_id_length)
+        if self._retrieve_session_data(new_sid):
+            raise RuntimeError("Session ID already exists in the database.")
+        return new_sid
 
     # TODO: Remove in 1.0.0
     def _get_signer(self, app: Flask) -> Signer: