你如何让 Flask-SocketIO 改变 Flask 存储在 cookie 中的客户端会话？

Question

So essentially, what I'm trying to do is remove a user's session id whenever they leave the website/close their tab because I want them to re-login every time they access the site. I've heard from other Stack Overflow questions that I should try out the Flask-SocketIO extension, and use the disconnect event to detect when they leave the website and then pop their ids from the session. So that's exactly what I did, however, whenever I pop the session, it doesn't actually register. Here's the full code I used to try implement that.

# Socket IO Events
@socket_io.on('connect')
def on_connect():
    app.logger.info("Connected!")
    app.logger.info("SESSION INFO: " + str(session))


@socket_io.on('disconnect')
def on_disconnect():
    app.logger.info("Client disconnected!")
    app.logger.info("SESSION INFO: " + str(session))
    if 'id' in session:
        session.pop('id')

So as you can tell, whenever I sign up and head to the home page, I receive a session id, and when this disconnect event fires, my session id gets popped. However, take a look at this output.

[2021-07-30 14:20:39,765] INFO in app: Connected!
[2021-07-30 14:20:39,766] INFO in app: SESSION INFO: {'id': 1}

yjI1iUG5o3YmBgRlAAAA: Sending packet PING data None
9jo8DD7RQ5mEcUWZAAAI: Upgrade to websocket successful
yjI1iUG5o3YmBgRlAAAA: Received packet PONG data
HYTS2jEcmhqp9Vq5AAAE: Sending packet PING data None
KQznMBiop36XZLcTAAAC: Client is gone, closing socket
[2021-07-30 14:20:53,854] INFO in app: Client disconnected!
[2021-07-30 14:20:53,854] INFO in app: SESSION INFO: {}

[2021-07-30 14:21:35,164] INFO in app: Connected!
hBzSZoZ-W7_nesEBAAAK: Received request to upgrade to websocket
[2021-07-30 14:21:35,168] INFO in app: SESSION INFO: {'id': 1}

After connecting to the page, it gives me a session id. Then, when I disconnect, it removes my session id and it clearly shows over there, that it removed my session id as there isn't anything in the session dict. However, when I reconnect, it like automatically gives me my session id.

Now based on what I've read from this other question on removing session ids, I cannot use socketio to alter the client's cookies, that's at least what I understood from it. He also said that it'd be better to store the sessions on the server side. But I find that a little troublesome and I don't want to just give up on this. Is there any way that I may store client sessions using Flask's built-in sessions system(that store cookies on the client's side), but still allow me to alter them from a socket-io perspective? I'm just very lost on this. Hope someone can explain how socket-io works or just provide a good and comprehensive article on it. Thanks in advance :) But the main problem is, Flask-SocketIO isn't popping the session id when I tell it to and I'm not sure why.

Answer 1

I'm sorry but you have been misled. Using Flask-SocketIO just so that you can be notified when a person leaves your site is extremely overkill, and as you've seen, it doesn't even work for your purposes.

If you want to know why you can't make changes to the user session from a Socket.IO event handler the reason is that Flask-SocketIO uses WebSocket. The user session is maintained in a cookie, which can only be modified in a server response to an HTTP request initiated by the client. WebSocket has no ability to modify cookies.

So I would forget about using Flask-SocketIO for this. it's really not one of its use cases.

Instead, I suggest you look into adding a beforeunload event in your page, where you can delete the session cookie directly in the client. For this to work you will also need to set the SESSION_COOKIE_HTTPONLY configuration option to Flask, so that JavaScript in your page can see, modify and delete the cookie. Note that this may have security implications, so think about it very carefully before doing it.