Server-Side Scripting/Cookies and Sessions/Python (Flask)

# Demonstrates session and cookie processing. The username is stored
# as a cookie and an internal userid is saved in a session variable.
# Also demonstrates secure password authentication using bcrypt salt
# and hash.
# References:

import os
import flask
import bcrypt

app = flask.Flask(__name__)
app.secret_key = os.urandom(32) # 256-bit key secures session variables

FORM = """
<h1>Cookies and Sessions</h1>
<p>Cookie: {{cookie}}<br>Session: {{session}}</p>
<form method="POST">
<p><label for="username">Username:</label>
<input type="text" id="username" name="username" value="{{username}}"></p>
<p><label for="password">Password:</label>
<input type="password" id="password" name="password"></p>
<input type="submit" id="log-in" name="log-in" value="Log In">&nbsp;
<input type="submit" id="log-out" name="log-out" value="Log Out">&nbsp;
<input type="submit" id="forget-me" name="forget-me" value="Forget Me">&nbsp;
<input type="submit" id="reload" name="Reload" value="Reload">

users = [
    # Password is the same as the username, just salted and hashed.
    # Don't do this in a production application! Use custom passwords.
    { "userid": 1, "username": "admin", 
        "password": b'$2b$12$6xEcJ9bCRo3JgNWyn32fwuSoRh1pg8f81jjHpYq6NQ9Y8uDkhWOE6'},
    { "userid": 2, "username": "test", 
        "password": b'$2b$12$UZLEFMg9ez.n88Sjpb/ZN.VVlmyPPxHOeL/DE452Si4H3PSQSB0Pa'}

@app.route("/", methods=["GET"])
def root_get():
    username = flask.request.cookies.get("username")
    userid = flask.session.get("userid")
    return build_form(username, userid)

@app.route("/", methods=["POST"])
def root_post():
    if flask.request.form.get("reload", None):
        return flask.redirect("/", code=200)

    elif flask.request.form.get("log-out", None):
        username = flask.request.cookies.get("username")
        result = build_form(username, None)
        return result

    elif flask.request.form.get("forget-me", None):
        result = build_form(None, None)
        response = flask.make_response(result)
        response.set_cookie("username", "", max_age=0)
        return response

        username = flask.request.form["username"]
        password = flask.request.form["password"]
        userid = authenticate_user(username, password)
        if userid:
            flask.session["userid"] = userid
            result = build_form(username, userid)
            response = flask.make_response(result)
            response.set_cookie("username", username)
            return response
            return flask.redirect("/", code=303)

def build_form(username, userid):
    cookie = str(bool(username))
    session = str(bool(userid))
    if username and userid:
        welcome = f"Welcome back {username}! You are logged in."
    elif username:
        welcome = f"Welcome back  {username}! Please log in."
        welcome = "Welcome! Please log in."

    if not username:
        username = ""

    result = FORM
    result = result.replace("{{cookie}}", cookie)
    result = result.replace("{{session}}", session)
    result = result.replace("{{welcome}}", welcome)
    result = result.replace("{{username}}", username)

    return result

def authenticate_user(username, password):
    for user in users:
        if user["username"] == username:
            result = bcrypt.checkpw(password.encode(), user["password"])
            if result:
                # should track successful logins
                return user["userid"]
                # Should track failed attempts, lock account, etc.
                return None
    return None

def generate_hashed_password(password):
    # Use this function to generate hashed passwords to save in 
    # the users list or a database.
    salt = bcrypt.gensalt()
    hashed = bcrypt.hashpw(password, salt)
    return hashed

if __name__ == "__main__":"", port=5000)

Try It


Copy and paste the code above into the following free online development environment or use your own Python (Flask) compiler / interpreter / IDE.

See Also