Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support server-side sessions #25795

Merged
merged 5 commits into from
Oct 31, 2023
Merged

feat: support server-side sessions #25795

merged 5 commits into from
Oct 31, 2023

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Oct 30, 2023
edited
Loading

SUMMARY

Supports server side sessions with multiple backends provided by flask-session.

Server-side sessions can be effectively managed and destroyed when a user logs out, ensuring that the session data is invalidated.

Adds a new config option SESSION_SERVER_SIDE bool, default to False and use Flask's default SecureCookieSession

Flask-Session supports multiple backends and config options: https://flask-session.readthedocs.io/en/latest/config.html

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@john-bodley john-bodley added the review:checkpoint Last PR reviewed during the daily review standup label Oct 30, 2023
michael-s-molina
michael-s-molina requested changes Oct 30, 2023
View reviewed changes
Copy link
Member

@michael-s-molina michael-s-molina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dpgaspar Could you add more context to why do we need server side sessions? If this is a security concern, could you reach on Slack? My main concern is that server-side sessions may completely change the way we interact with the server, specifically about how we compose requests.

@dpgaspar
Copy link
Member Author

dpgaspar commented Oct 30, 2023
edited
Loading

@dpgaspar Could you add more context to why do we need server side sessions? If this is a security concern, could you reach on Slack? My main concern is that server-side sessions may completely change the way we interact with the server, specifically about how we compose requests.

Yes it's an optional security improvement, as is sessions will continue to behave like they currently do, don't think it will fundamentally change the way we compose requests, users will still have a session cookie but with a UUID only, the rest of the data is kept on the backend. Possible area of impact is thumbnails, I'll double check on what's required

@pull-request-size pull-request-size bot added size/M and removed size/S labels Oct 31, 2023
@dpgaspar
Copy link
Member Author

@dpgaspar Could you add more context to why do we need server side sessions? If this is a security concern, could you reach on Slack? My main concern is that server-side sessions may completely change the way we interact with the server, specifically about how we compose requests.

Yes it's an optional security improvement, as is sessions will continue to behave like they currently do, don't think it will fundamentally change the way we compose requests, users will still have a session cookie but with a UUID only, the rest of the data is kept on the backend. Possible area of impact is thumbnails, I'll double check on what's required

Verified this works seamlessly with thumbnails

michael-s-molina
michael-s-molina approved these changes Oct 31, 2023
View reviewed changes
Copy link
Member

@michael-s-molina michael-s-molina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you for the added context @dpgaspar and for adding doc references. They were helpful to review the impact of the change.

@dpgaspar
Copy link
Member Author

LGTM. Thank you for the added context @dpgaspar and for adding doc references. They were helpful to review the impact of the change.

No problem! thank you for the review @michael-s-molina

@dpgaspar dpgaspar merged commit d2f511a into apache:master Oct 31, 2023
31 checks passed
@dpgaspar dpgaspar deleted the feat/sever-side-sessions branch October 31, 2023 16:05
@john-bodley john-bodley removed the review:checkpoint Last PR reviewed during the daily review standup label Oct 31, 2023
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Jan 17, 2024
michael-s-molina pushed a commit that referenced this pull request Jan 18, 2024
@dpgaspar @michael-s-molina
feat: support server-side sessions (#25795)
bd4c1a7
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@dpgaspar
feat: support server-side sessions (apache#25795)
19cc3d7
@mistercrunch mistercrunch added 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
sfirke pushed a commit to sfirke/superset that referenced this pull request Mar 22, 2024
@dpgaspar @sfirke
feat: support server-side sessions (apache#25795)
30d9e8a
vinothkumar66 pushed a commit to vinothkumar66/superset that referenced this pull request Nov 11, 2024
@dpgaspar
feat: support server-side sessions (apache#25795)
2214af7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michael-s-molina michael-s-molina michael-s-molina approved these changes

@betodealmeida betodealmeida Awaiting requested review from betodealmeida

@craig-rueda craig-rueda Awaiting requested review from craig-rueda

@villebro villebro Awaiting requested review from villebro

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dpgaspar @michael-s-molina @mistercrunch @john-bodley