Forums

Session not persisting in some browers, using own domain name

i am using flask sessions for a simple login system. There are 3 routes in question.

def home()
def checkLogin()
def read()

you start at home(), attempt a login, begin a session if successful, return home() but with the session modifying the page contents, and then you can go to read().

the login part works as expected (and until recently the entire thing was fine). However, when i go to read() and check again for a session, it returns "None" as though the session has vanished. this only happens in chrome/safari/firefox. not edge or opera

it seems to be related to me using a domain name, since my locally hosted version works as intended on any browser. using the pythonanywhere URL also works as intended. It's only when I browse via domain name that it breaks down.

I'm confused as to why the session works fine for the first two functions but then disappears when i move to the third?

the login form uses url_for() to navigate, whereas i use javascript when taking the user to read() (via window.location('xyz'))

anyone have any ideas?? Below is the simplified code for reference

    @app.route("/home")
    def home():
        if session.get('logged-in'):
            # do some fluff stuff
            return render_template('index.html', someVars)

        return render_template('login.html')    # the start point is login.html


    @app.route("/home", methods=['POST'])
    def checkLogin():
        if session.get('logged-in'):
            return home() # already logged in, go show index.html.  THIS WORKS AS EXPECTED

        # grab login credentials from the submitted form form
        # hash pword and check against db
        if <pass the pword check>:
            session['logged-in'] = True
            session.permanent = True
            app.permanent_session_lifetime = timedelta(days=1)
        else:
            sesssion['logged-in'] = False

        return home()    # call home again and go to index.html/login.html as appropriate


        @some routes
  def read(some vars):
    if not session.get('logged-in'):    # when it goes wrong, session.get('logged-in') returns None, rather than True or False
      if not sesssion.get('free'):    # a bool that gives a free taster without user login.  this should logically always be true as of how my code is now, but currently returns None
        return home()    # THIS IS WHERE IT IS INCORRECTLY RETURNING HOME AS THOUGH THE SESSION DOES NOT EXIST - BUT ONLY IN CHROME/SAFARI/FIREFOX
      else:
        # get the user's ID number for later if they are logged in

      # blah blah lots more stuff

That sounds like your session cookie may be being changed or not sent for some of the views. Try checking the requests in your browser to see whether the session cookie is staying the same between those requests. While you're doing that, also check the other properties of the cookie to see if there's anything there that may be preventing the session from carrying across.

thanks for the response

whether i browse from the domain name or the full pythonanywhere URL, the session cookie appears against the pythonanywhere URL. the domain name also appears in the cookies tab, but with nothing against it.

its very strange. sometimes the cookie appears once i do the login (as expected) and then remains unchanged no matter what i do. if I delete the cookie, it doesn't seem to reappear... and yet the login still works up until the previous point where it was breaking down (so it persists for 1 navigation but not 2)

i dont understand why (a) it is not reappearing as i am testing now, or (b) why it has reappeared in the past, since obviously it must do at some point or i wouldn't see it

edit: also, if i view the cookies in Edge, i see that the session is against the querystring rather than the domain. eg in chrome it shows the cookie against rossfrombritain.pythonanywhere.com, but in edge it shows it as being against "1" (in the case of rossfrombritain.pythonanywhere.com/1)

just for ref, my website recreates an e-book experience, so the URLs are in the format: <domain>/<pagenum>

If it's appearing for the pythonanywhere domain only, then it's because there is a setting somewhere that is causing that. Find the setting and change it to be for the domain that you want it to be for.

The logged-in check will only cause an issue in views where you actually check it. If you do not check it in every view, those will work because they don't check it.

Edge and Chrome may just have different ways of representing the cookie in their store.