Regenerate session ids in a flask server side session

To avoid an attack known as a “session fixation attack”, where the attacker is able to force your web application to use a specific session id, you’re supposed to be the good guy and regenerate the session id when a user logs in or register (or if you really want to, on every request to have a fleeting session id – but this will also require extra traffic towards your session backend, even if the server side content of the session itself doesn’t change).

Flask-Session supports this through their regenerate function, which you can call on the defined session interface (either through app.session_interface or, in a blueprint, through current_app.session_interface).

Some language models (regardless of them qualifying themselves as either large or small) are going to say “just use session.clear() and the session token will be regenerated”, but they’ll be wrong (at least for Flask 3.1).

So you try to do it yourself – you log out of your account, and then sign in again, and by calling regenerate() in your sign in function, you expect the session token to be regenerated from whatever it previously was.

But that doesn’t happen.

Your code would look like (in a blueprint):

session.clear()
current_app.session_interface.regenerate(session)

session['user_id'] = user.id

return redirect(url_for('index'))

.. but nothing changes. Well, it turns out that Flask-Session guards it regenerate() function with a check for a true-ish value, instead of checking if there’s a valid session given:

def regenerate(self, session: ServerSideSession) -> None:
    """Regenerate the session id for the given session. Can be used by calling ``flask.session_interface.regenerate()``."""
    if session:
        # Remove the old session from storage
        self._delete_session(self._get_store_id(session.sid))
        # Generate a new session ID
        new_sid = self._generate_sid(self.sid_length)
        session.sid = new_sid
        # Mark the session as modified to ensure it gets saved
        session.modified = True

And this is where the issue happens – since you’ve done what you should be doing – clearing the session, not trusting whatever might be there; you’re left with an empty session dictionary, which will evaluate to a false-y value, and not a true-ish value – so since the session is empty, the code will never run.

The answer is to ask Flask-Session nicely to regenerate the session id after you’ve populated with the user’s information:

session.clear()
session['user_id'] = user.id
current_app.session_interface.regenerate(session)

That way the Flask-Session will be happy with you, since you now have a session that will be seen as true-ish instead, and the world will rejoice.

And that, my friends, was what made me write another post here to document something weird after eight years of hiatus.

Imagemagick / MagickWand under alpine linux / python-alpine

The python implemention of MagickWand, aptly named Wand, requires ImageMagick and MagickWand installed. While building docker images using the python:alpine base images, these dependencies can be installed through:

ENV MAGICK_HOME=/usr
RUN apk add --no-cache imagemagick && \
apk add --no-cache imagemagick-dev

The first one is required for Wand to find the installed MagickWand libraries, while the second installs the imagickmagick development dependencies (and thus, the magickwand shared library).

cmd.exe – program has stopped working – but it works in Windows Explorer?

After digging through this issue for _at least_ four hours today, I’ve revisited an issue that crept up 1,5 years ago. This time I found out that it actually happened to most 32-bit programs launched under cmd. Since the Android SDK’s utilities are compiled in 32-bit mode by default, this time I had to actually find out what was causing the issue.

Turns out it was ansicon.exe. After starting the 32-bit cmd.exe from windows\SysWOW64 and stuff worked – I discovered I got an error about ansicon.exe not being able to load. Removing ansicon.exe completely solved the problem. I’m .. stunned.

bkool pro trainer fails firmware update

After trying to get my bkool pro smart trainer to update to the most recent version for almost two weeks, I finally solved the issue tonight. The official FAQ just states that you should stop anything related to bluetooth and that the ANT+ dongle should be right at the base of the trainer. I had done both things – even stopping any Garmin related products installed, but nothing helped. The firmware update would start, but after a couple of minutes (or a many as ten), bkool indoor would error out.

The solution: A new USB controller card. Apparently the USB ports on the motherboard introduced too much noise on the connection, and since ANT+ (or bkool, not sure) doesn’t have any proper error correction to detect errors on a smaller level and resend USB packages, it seems there was an error introduced somewhere in the firmware update, and the end checksum failed.

A new VIA-based USB PCI-card from Ebay solved the issue, and now my firmware is upgraded! Yay! (the trainer worked just fine except for that, so it was still usable – but I had a bug appear that the firmware should fix (or maybe that was caused by noise on the USB bus as well? We’ll see. Zwifting away in a couple of days)!

Facebook Graph API: (#324) Missing or invalid image file

If you keep getting errors when trying to set a custom page tab icon when adding an app to a page – make sure that the application is actually published. You can add it – and the icon will change, but will still generate an error – if the application isn’t published yet. No idea why it’d give an error like that, but hey.

There’s quite a few other reasons for the error as well, but Google have probably already told you about those.

Old Ubuntu-releases in APT / etc.

We have an old VM (Ubuntu 14.10) that we just have running – it does a very specific job, isn’t connected to anything important and just shugs along. But because of a dependency issue with external software, we needed to install a new library to it – and because of dependencies when we first set up the VM, Ubuntu was the distro selected.

Sadly all the old URLs for apt-get in sources.list had stopped working, as the mirrors no longer had that specific Ubuntu (utopic) version available.

Luckily – after a bit of using our old friend Google – I found old-releases.ubuntu.com. This is also available as an archive for content through APT, so if you prefix your old addresses with old-releases.ubuntu.com instead of whatever mirror you’re used to fetching images from, you can get last version of the packages made available when you first set up your distro.

Saved the day!

“python.exe has stopped working” suddenly appeared under Windows 10

When attempting to start python tonight, Windows 10 suddenly produced the “python.exe has stopped working” error. Examining the event in the Event Viewer didn’t provide any more useful information, but surprisingly everything worked if I launched python.exe directly from Explorer – or through bash (cygwin), but not if I launched it through the regular command line (cmd.exe).

What solved it? Removing the old directory again (even after trying a fresh install) and then explicitly finding the 64-bit version from the python download page (it gives you the 32-bit version by default, it seems). Reinstalling with the new archive fixed everything, and now it works again (and I checked “pre-compile the standard library, but that shouldn’t change anything)! Woho! Now to just reinstall quite a few virtualenvs..

Android: Changing the Title of an Activity – setTitle works – android:label does not?

To change the title of an activity (to show a more custom title for a certain activity than the application title), you can set the new title either through calling setTitle("foo") on the activity or by setting android:label="@string/price_after_rebate" in your activity style.

The problem was that the latter didn’t work, while the first one did. I try to keep any static definitions related to the activities outside of the code itself, but that’s hard when it doesn’t work as expected.

Turns out that if there’s a title set in the AndroidManifest.xml file (located under app/manifests/ in the standard layout / Android Studio), it’ll override any title set elsewhere in the definitions. You can change the specific titles by setting android:label="@string/price_after_rebate" on the activity definitions in the manifest instead of the activity xml file:

<activity
    android:name=".xyz.Foo"
    android:parentActivityName=".MainActivity"
    android:label="@string/xyz_foo_activity_title"
>
    <meta-data
        android:name="android.support.PARENT_ACTIVITY"
        android:value="xyz.MainActivity" />
</activity>

Enabling OpenVPN configuration / autostart on Ubuntu

This assumes that you’ve already made sure that your configuration is valid and is able to connect (you can do this by calling openvpn --config /etc/openvpn/FILENAME.conf directly. It won’t be daemonized, but it will give you any errors on the console directly).

There’s a few details you’ll have to get right before the openvpn daemon starts your configuration automagically under Ubuntu:

  1. Your configuration has to be under /etc/openvpn/FILENAME.conf. The .conf part is important. If it ends with .ovpn or anything else, it won't be loaded.
  2. Ubuntu isn't set to start all configurations by default. You can change this by editing /etc/default/openvpn. Change the AUTOSTART variable to the configurations you want to start when the daemon starts. The example in the file says "all", which means that all defined configurations will start. This is OK if you want to keep openvpn up at all times.
  3. You have to tell systemd that you've changed the default file. If you don't do this, nothing will have appeared to change for openvpn - unless you restart the OS. And you don't want to restart your server just to make a setting visible. Do systemctl daemon-reload to make systemd reload the settings (this is also in the comments in the file, but hey, you don't have time to read those, so now you're searching Google instead).
  4. Restart openvpn: service openvpn restart
  5. Confirm that everything went OK by looking in /var/log/syslog

Installing Intel RST – Error Message “This platform is not supported”

While trying to find out why my Intel RAID had disappeared after upgrading to Windows 10 (but I still had the disks visible), I was trying to install Intel RST to be able to configure my RAID and see if there was any configuration left. The Intel RST installer did however refuse to install, and just gave the cryptic message “This platform is not supported”. It didn’t say .. which platform or what a platform was or .. anything usable (and the log file didn’t tell me much more).

The reason? My motherboard had the SATA mode set to ACHI and not to “RAID”. Went into the bios, changed AHCI to RAID in the advanced / SATA configuration, and rebooted. Intel RST installed as it should! And I had to recreate my RAID1 – but Intel RST allows you to say “this is the disk you should keep, so mirror this to the other disk” when creating (be sure to check the LUN/BUS/etc. IDs in the properties for each disk so you can provide the correct disk as the master copy if they’re out of sync).

So: BIOS -> Advanced -> SATA -> SATA MODE -> RAID.