Sessions in Flask

To do anything remotely interesting with a web application, you must build on the concept of a session.

A session is a place that we can store some information, temporarily, while a user navigates from one page to another within our web application.

Here is an example of a running application on Heroku that uses sessions:

Preliminaries to using Sessions

Before you can use sessions in your flask webapp, you need to do two preliminary things:

  1. Set up the right import statement

    Here’s the import you need:

    from flask import session
    
  2. Set the value of app.secret_key

    The secret key is used to encrypt our session to avoid something called “session hijacking”, which is a way that an evildoer can hack into a running web app session and take it over (potentially stealing private data, or creating other mayhem).

    The value of the secret key can be pretty much any string of letters and digits. More information on the secret key can be found here: http://flask.pocoo.org/docs/0.10/quickstart/#sessions

    Set the secret key sometime after the app = Flask(__name__) line.

    app = Flask(__name__)
    app.secret_key='w98fw9ef8hwe98fhwef'   # This sets the secret key for sessions
    

    In this example, the secret key is hard coded right in the Python code that implements the web app, which is fine for a simple example, but there are better ways to do it, such as reading the value from an environment variable. We’ll discuss how that works when we get to OAuth and databases.

Setting up a session (or starting over)

To create a new session, we use this code:

   session.clear()

This is also the code we use to destroy a session, since the act of destroying a sessions also, essentially, creates a new session.

Another way to look at it is this: once you use from flask import session, you always have a session in any browser that opens a page on your web app. It is just a matter of when you press the “reset” button to make a new one.

You can actually “just start using” the session object by storing things in it, without doing session.clear() first. But its probably a better idea to be sure that you always start with a clean slate, like erasing the blackboard before you start a new lesson.

Storing things in a session, and getting them back out

You store things in a session the same way you store them in a Python dictionary (dict) object, by key and value:

To store a hard coded value, you could write:

    session['firstName']='Phill'

But it is more likely that you’d be storing some information that the user entered into a form:

    session['firstName']=request.form['firstName']

Suppose we want to get something out of session that we have stored there. For instance, suppose our key is firstName and we want to get the value:

We are typically doing that inside the HTML inside one of our templates. We may want to check whether that value exists or not first. Here’s some code that does that. This code would be inside one of the .html files inside the templates folder.

Note that in a Jinja2 template, we do not put a colon (:) after the if 'firstName' in session test; since this is already inside a set of Jinja2 delimiters, i.e. {% %}, the colon is not needed.

{% if 'firstName' in session %} 
   First Name: {{ session['firstName'] }}<br>
{% endif %}

Some things to know about sessions:

The concept of a session is not specific to Flask or Python

You’ll find the concept of a session in pretty much every web framework, regardless of whether you are using Python for your web “backend” language, or something else such as Java, PHP, Ruby on Rails, Node (server-side JavaScript), etc.