Gestión de sesiones en Flask

User authentication is a fundamental component of modern web application development. Implementing a system that protects personal information and ensures that only authorized users access certain resources is essential to maintaining the security of any platform. In this article, we will explore how to implement a basic authentication system in Flask using sessions, a mechanism that allows maintaining user information through different HTTP requests.

How do sessions work in Flask?

Sessions in Flask allow us to store user-specific information in browser cookies. This is particularly useful when we need to maintain a user's authentication status while browsing our application.

Sessions work as follows:

• They store data in client browser cookies.
• The information is encrypted using a secret key.
• They allow access to the user's data in different paths of the application.
• Maintain persistence of data between HTTP requests

Importantly, Flask implements a security mechanism using the secret_key, which encrypts the information stored in the cookies. This prevents that, if someone intercepts these cookies, they cannot use them in another browser to impersonate the original user.

Why is the secret_key important?

The secret_key is a critical component in the security of Flask sessions. This key is used to:

• Encrypt information stored in cookies.
• Preventing phishing attacks
• Ensure that cookies only work on the legitimate user's browser
• Protect sensitive data that is shared between the client and the server

Without a proper secret_key, anyone with access to the cookies could manipulate the information and potentially access protected application resources.

Implementing a basic authentication system

To implement our authentication system, we will create a new Blueprint in Flask that will handle the login and logout paths. This approach allows us to better organize our code and separate the authentication logic from the rest of the application.

Creating the authentication Blueprint

First, we must create a new folder for our Blueprint:

from flask import Blueprint
auth_bp = Blueprint('auth', __name__).

Next, we define the login path that will accept both GET requests (to display the form) and POST requests (to process the user's information):

from flask import Blueprint, request, render_template, redirect, url_for, flash, session
auth_bp = Blueprint('auth', __name__)
 @auth_bp.route('/login',  methods=['GET', 'POST'])def login(): if request.method == 'POST': username = request.form['username']        
 if username == 'admin': session['user'] = username return redirect(url_for('notes.home')) else: flash('User not allowed', 'error')    
 return render_template('login.html')

In this code:

1. We check if the request is POST (form submission).
2. We obtain the user name from the form
3. We validate if the user is valid (in this case, only 'admin')
4. If valid, store the username in the session
5. Redirect the user to the main notes page
6. If it is not valid, we display an error message

Creating the login template

For our system to work, we need to create an HTML template that displays the login form:

{% extends 'base.html' %}
 {% block content %}<div class="container"> <h2>Login</h2> <form method="POST"> <div class="form-group"> <label for="username">Username:</label> <input type="text" name="username" id="username" required> </div> <button type="submit" class="btn">Login</button> </form></div><% endblock %}

Registering the Blueprint in the main application.

For our Blueprint to work, we need to register it in the main application file:

from auth.routes import auth_bp
app.register_blueprint(auth_bp)

How to use the session information in other routes?

Once the user is logged in, we can access the information stored in the session from any other route in the application. This allows us to:

• Verify if the user is authenticated.
• Display personalized content based on the user
• Restrict access to certain paths to authenticated users only
• Filter specific information for each user

It is important to remember not to store large amounts of information in the session. The ideal is to store only identifiers or small data that will later allow us to retrieve more complete information from our database.

Implementing the logout

To complete our authentication system, we need a path that allows the user to logout. This path must:

1. Remove the user's information from the session.
2. redirect the user to the login page
3. Display a message confirming that the session has been successfully logged out

@auth_bp.route('/logout')def logout(): session.pop('user', None) flash('You are successfully logged out', 'success') return redirect(url_for('auth.login'))

Implementing a basic authentication system in Flask using sessions is a fundamental first step in protecting user information in our application. Although this example is simple, it illustrates the key concepts you need to understand to develop more complex and secure systems in the future. Have you implemented authentication systems in your projects? Share your experience in the comments.