SQL cleanup thread or per requests

src/flask_session/__init__.py

@@ -106,6 +106,12 @@ def _get_interface(self, app):
         SESSION_SQLALCHEMY_BIND_KEY = config.get(
             "SESSION_SQLALCHEMY_BIND_KEY", Defaults.SESSION_SQLALCHEMY_BIND_KEY
         )
+        SESSION_CLEANUP_N_REQUESTS = config.get(
+            "SESSION_CLEANUP_N_REQUESTS", Defaults.SESSION_CLEANUP_N_REQUESTS
+        )
+        SESSION_CLEANUP_N_SECONDS = config.get(
+            "SESSION_CLEANUP_N_SECONDS", Defaults.SESSION_CLEANUP_N_SECONDS
+        )
 
         common_params = {
             "app": app,
@@ -147,6 +153,8 @@ def _get_interface(self, app):
                 sequence=SESSION_SQLALCHEMY_SEQUENCE,
                 schema=SESSION_SQLALCHEMY_SCHEMA,
                 bind_key=SESSION_SQLALCHEMY_BIND_KEY,
+                cleanup_n_requests=SESSION_CLEANUP_N_REQUESTS,
+                cleanup_n_seconds=SESSION_CLEANUP_N_SECONDS,
             )
         else:
             raise RuntimeError(f"Unrecognized value for SESSION_TYPE: {SESSION_TYPE}")

src/flask_session/defaults.py

@@ -9,6 +9,10 @@ class Defaults:
     SESSION_PERMANENT = True
     SESSION_SID_LENGTH = 3
 
+    # Clean up settings for non TTL backends (SQL, PostgreSQL, etc.)
+    SESSION_CLEANUP_N_REQUESTS = None
+    SESSION_CLEANUP_N_SECONDS = None
+
     # Redis settings
     SESSION_REDIS = None
 

src/flask_session/sessions.py

@@ -7,8 +7,10 @@
 except ImportError:
     import pickle
 
+import random
 from datetime import datetime
 from datetime import timedelta as TimeDelta
+from threading import Thread
 from typing import Any, Optional
 
 from flask import Flask, Request, Response
@@ -100,13 +102,25 @@ def __init__(
         use_signer: bool = Defaults.SESSION_USE_SIGNER,
         permanent: bool = Defaults.SESSION_PERMANENT,
         sid_length: int = Defaults.SESSION_SID_LENGTH,
+        cleanup_n_requests: Optional[int] = Defaults.SESSION_CLEANUP_N_REQUESTS,
+        cleanup_n_seconds: Optional[int] = Defaults.SESSION_CLEANUP_N_SECONDS,
     ):
         self.app = app
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
         self.sid_length = sid_length
         self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
+        self.cleanup_n_requests = cleanup_n_requests
+        self.cleanup_n_seconds = cleanup_n_seconds
+
+        # Cleanup settings for non-TTL databases only
+        if self.ttl:
+            self._register_cleanup_app_command()
+            if self.cleanup_n_seconds:
+                self._start_cleanup_thread(self.cleanup_n_seconds)
+            if self.cleanup_n_requests:
+                self.app.before_request(self._cleanup_per_requests)
 
     def save_session(
         self, app: Flask, session: ServerSideSession, response: Response
@@ -177,6 +191,42 @@ def open_session(self, app: Flask, request: Request) -> ServerSideSession:
         sid = self._generate_sid(self.sid_length)
         return self.session_class(sid=sid, permanent=self.permanent)
 
+    # CLEANUP METHODS FOR NON TTL DATABASES
+
+    def _register_cleanup_app_command(self):
+        """
+        Register a custom Flask CLI command for cleaning up expired sessions.
+
+        Run the command with `flask session_cleanup`. Run with a cron job
+        or scheduler such as Heroku Scheduler to automatically clean up expired sessions.
+        """
+
+        @self.app.cli.command("session_cleanup")
+        def session_cleanup():
+            with self.app.app_context():
+                self._delete_expired_sessions()
+
+    def _cleanup_n_requests(self) -> None:
+        """Delete expired sessions approximately every N requests."""
+        if self.cleanup_n_seconds or (
+            self.cleanup_n_requests and random.randint(0, self.cleanup_n_requests) == 0
+        ):
+            self._delete_expired_sessions()
+
+    def _start_cleanup_thread(self, cleanup_n_seconds: int) -> None:
+        """Start a background thread to delete expired sessions approximately every N seconds."""
+
+        def cleanup():
+            with self.app.app_context():
+                while True:
+                    self._delete_expired_sessions()
+                    time.sleep(cleanup_n_seconds)
+
+        thread = Thread(target=cleanup, daemon=True)
+        thread.start()
+
+    # METHODS TO BE IMPLEMENTED BY SUBCLASSES
+
     def _retrieve_session_data(self, store_id: str) -> Optional[dict]:
         raise NotImplementedError()
 
@@ -188,6 +238,10 @@ def _upsert_session(
     ) -> None:
         raise NotImplementedError()
 
+    def _delete_expired_sessions(self) -> None:
+        """Delete expired sessions from the backend storage. Only required for non-TTL databases."""
+        pass
+
 
 class RedisSessionInterface(ServerSideSessionInterface):
     """Uses the Redis key-value store as a session backend. (`redis-py` required)
@@ -207,6 +261,7 @@ class RedisSessionInterface(ServerSideSessionInterface):
 
     serializer = pickle
     session_class = RedisSession
+    ttl = True
 
     def __init__(
         self,
@@ -273,6 +328,7 @@ class MemcachedSessionInterface(ServerSideSessionInterface):
 
     serializer = pickle
     session_class = MemcachedSession
+    ttl = True
 
     def __init__(
         self,
@@ -365,6 +421,8 @@ class FileSystemSessionInterface(ServerSideSessionInterface):
     """
 
     session_class = FileSystemSession
+    serializer = None
+    ttl = True
 
     def __init__(
         self,
@@ -425,6 +483,7 @@ class MongoDBSessionInterface(ServerSideSessionInterface):
 
     serializer = pickle
     session_class = MongoDBSession
+    ttl = True
 
     def __init__(
         self,
@@ -515,6 +574,11 @@ class SqlAlchemySessionInterface(ServerSideSessionInterface):
     :param sequence: The sequence to use for the primary key if needed.
     :param schema: The db schema to use
     :param bind_key: The db bind key to use
+    :param cleanup_n_requests: Delete expired sessions approximately every N requests.
+    :param cleanup_n_seconds: Delete expired sessions approximately every N seconds.
+
+    .. versionadded:: 0.7
+        The `cleanup_n_requests` and `cleanup_n_seconds` parameters were added.
 
     .. versionadded:: 0.6
         The `sid_length`, `sequence`, `schema` and `bind_key` parameters were added.
@@ -525,6 +589,7 @@ class SqlAlchemySessionInterface(ServerSideSessionInterface):
 
     serializer = pickle
     session_class = SqlAlchemySession
+    non_ttl = True
 
     def __init__(
         self,
@@ -538,12 +603,14 @@ def __init__(
         sequence: Optional[str] = Defaults.SESSION_SQLALCHEMY_SEQUENCE,
         schema: Optional[str] = Defaults.SESSION_SQLALCHEMY_SCHEMA,
         bind_key: Optional[str] = Defaults.SESSION_SQLALCHEMY_BIND_KEY,
+        cleanup_n_requests: Optional[int] = Defaults.SESSION_CLEANUP_N_REQUESTS,
+        cleanup_n_seconds: Optional[int] = Defaults.SESSION_CLEANUP_N_SECONDS,
     ):
+        self.app = app
         if db is None:
             from flask_sqlalchemy import SQLAlchemy
 
             db = SQLAlchemy(app)
-
         self.db = db
         self.sequence = sequence
         self.schema = schema
@@ -586,6 +653,18 @@ def __repr__(self):
 
         self.sql_session_model = Session
 
+    def _delete_expired_sessions(self) -> None:
+        try:
+            self.db.session.query(self.sql_session_model).filter(
+                self.sql_session_model.expiry <= datetime.utcnow()
+            ).delete(synchronize_session=False)
+            self.db.session.commit()
+            self.app.logger.info("Deleted expired sessions")
+        except Exception as e:
+            self.app.logger.exception(
+                e, "Failed to delete expired sessions. Skipping..."
+            )
+
     def _retrieve_session_data(self, store_id: str) -> Optional[dict]:
         # Get the saved session (record) from the database
         record = self.sql_session_model.query.filter_by(session_id=store_id).first()