I'm trying to make an HTML5 app which is intended to work everywhere(!!). In iOS when a web app is added to the home screen, the resulting standalone app doesn't allow cookies, nor is there an option for the user to enable them.
I'm using server-side sessions (on redis), and in this scenario I'm contemplating appending some sort of auth token to every url request (maybe as a header, say, X-MYTOKEN), which will be stored on the client using localStorage after it is generated after a successful login. Later on a logout or a timeout would invalidate this token on the server side, and the localStorage value would get rewritten on the subsequent login.
Can you weigh in on this approach, or suggest something better?
(Based on IRC chat, I'm going ahead with a random-token-per-user-in-url approach)
What about subclassing flask.sessions.SessionInterface?
Find out more at: http://flask.pocoo.org/docs/api/#flask.sessions.SessionInterface.
This is how I would do, but I'm pretty new at this things... You can do it better (A custom Jinja tag?).
Never going to happen just because of the security problems with it.
There is btw an implementation for that on github: https://github.com/mitsuhiko/flask-stupid-ideas/blob/master/stupidsessions.py