{"library":"flask-session","title":"Flask-Session","description":"Flask-Session is an official extension for Flask that provides support for server-side session management. Instead of storing session data directly in client-side cookies (which can be size-limited and less secure), it stores it on the server using various backends like Redis, Memcached, FileSystem, MongoDB, SQLAlchemy, or DynamoDB. The current version is 0.8.0, and it is actively maintained by the Pallets organization, ensuring regular updates and compatibility with Flask. [1, 5, 15, 16]","status":"active","version":"0.8.0","language":"en","source_language":"en","source_url":"https://github.com/pallets-eco/flask-session","tags":["Flask","session","server-side session","web","extension","Redis","MongoDB","SQLAlchemy"],"install":[{"cmd":"pip install flask-session","lang":"bash","label":"Basic installation"},{"cmd":"pip install 'flask-session[redis]' # For Redis backend\npip install 'flask-session[cachelib]' # For CacheLib backend (replaces FileSystem)\npip install 'flask-session[mongodb]' # For MongoDB backend\npip install 'flask-session[sqlalchemy]' # For SQLAlchemy backend\npip install 'flask-session[dynamodb]' # For DynamoDB backend","lang":"bash","label":"With specific backend dependencies"}],"dependencies":[{"reason":"Core web framework dependency for the extension.","package":"Flask","optional":false},{"reason":"Required for RedisSessionInterface.","package":"redis","optional":true},{"reason":"Required for CacheLibSessionInterface, which replaced FileSystemSessionInterface.","package":"cachelib","optional":true},{"reason":"Required for MongoDBSessionInterface.","package":"pymongo","optional":true},{"reason":"Required for SqlAlchemySessionInterface.","package":"SQLAlchemy","optional":true},{"reason":"Required for DynamoDBSessionInterface (added in v0.8.0).","package":"boto3","optional":true}],"imports":[{"symbol":"Session","correct":"from flask_session import Session"},{"note":"The 'Session' class from 'flask_session' is for initializing the extension; the 'session' proxy object for accessing/modifying session data comes from 'flask' itself, just like Flask's built-in session. [3, 4]","wrong":"from flask_session import session","symbol":"session","correct":"from flask import session"}],"quickstart":{"code":"import os\nfrom flask import Flask, session, redirect, url_for\nfrom flask_session import Session\nfrom redis import Redis\n\napp = Flask(__name__)\n\n# Configuration for server-side sessions\napp.config[\"SECRET_KEY\"] = os.environ.get(\"FLASK_SECRET_KEY\", \"super-secret-key-that-should-be-random-and-long\")\napp.config[\"SESSION_TYPE\"] = \"redis\"\napp.config[\"SESSION_PERMANENT\"] = False # Set to True for permanent sessions\n\n# Configure Redis client (replace with your Redis connection details)\n# For production, consider using environment variables for host/port/password\napp.config[\"SESSION_REDIS\"] = Redis(host=os.environ.get(\"REDIS_HOST\", \"localhost\"), port=6379, db=0)\n\n# Initialize Flask-Session\nSession(app)\n\n@app.route('/')\ndef index():\n    if 'username' in session:\n        return f'Hello, {session[\"username\"]}! <a href=\"/logout\">Logout</a>'\n    return 'You are not logged in. <a href=\"/login\">Login</a>'\n\n@app.route('/login')\ndef login():\n    # Simulate a login, in a real app this would involve forms and authentication\n    session['username'] = 'testuser'\n    return redirect(url_for('index'))\n\n@app.route('/logout')\ndef logout():\n    session.pop('username', None)\n    return redirect(url_for('index'))\n\nif __name__ == '__main__':\n    app.run(debug=True)","lang":"python","description":"This quickstart demonstrates how to set up Flask-Session with a Redis backend. It configures the Flask application with a secret key (essential for session security) and specifies Redis as the session storage type. The example includes simple routes to set, get, and clear session data, showcasing how `flask.session` is used once `flask_session.Session` is initialized. Remember to install `redis` (`pip install 'flask-session[redis]'`) for this example to work. [3, 8]"},"warnings":[{"fix":"Upgrade to 0.7.0+ and ensure all active sessions are accessed/modified to trigger migration to `msgspec` before upgrading to 1.0.0. Configure `SESSION_SERIALIZATION_FORMAT = 'json'` if you need a human-readable format or have specific compatibility needs, though `msgpack` (default) is more efficient. [10]","message":"The default session serialization format changed from `pickle` to `msgspec` in version 0.7.0. While 0.7.0 attempts to convert existing `pickle` sessions upon read/write, `pickle` support will be entirely removed in version 1.0.0. Any un-migrated `pickle` sessions will be cleared upon access in 1.0.0. [5, 7, 10]","severity":"breaking","affected_versions":"0.7.0+"},{"fix":"Remove `SESSION_USE_SIGNER` from your configuration as `sid_length` now provides the relevant entropy. Migrate from `SESSION_TYPE = 'filesystem'` to `SESSION_TYPE = 'cachelib'` and ensure `cachelib` is installed. [7, 10]","message":"The `SESSION_USE_SIGNER` configuration option and `FileSystemSessionInterface` were deprecated in version 0.7.0. `FileSystemSessionInterface` is replaced by `CacheLibSessionInterface` which uses `cachelib` under the hood. [7, 10]","severity":"deprecated","affected_versions":"0.7.0+"},{"fix":"Always configure a strong, random `SECRET_KEY` in your Flask application. For production, load this from environment variables or a secure configuration system. `app.config[\"SECRET_KEY\"] = os.environ.get(\"FLASK_SECRET_KEY\")`","message":"It is crucial to set `app.config[\"SECRET_KEY\"]` when using Flask-Session, even though sessions are server-side. This secret key is used to cryptographically sign the session ID cookie that is sent to the client, preventing tampering and ensuring session integrity. [8, 12]","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always use `from flask import session` and then interact with `session['key']` or `session.get('key')` within your application code after initializing Flask-Session with `Session(app)`. [3]","message":"Flask-Session's `Session` class is for initializing the extension with your Flask application. To access or modify the current session data within your routes, you must import and use `flask.session`, which is Flask's built-in session proxy. Attempting to use the `Session` instance directly for data access will not work as expected. [3, 4]","severity":"gotcha","affected_versions":"All versions"},{"fix":"Be mindful of `PERMANENT_SESSION_LIFETIME`'s impact on your server-side session data lifespan. For non-permanent sessions that expire with the browser, ensure `SESSION_PERMANENT = False` and understand its limitations regarding server-side cleanup. [10]","message":"The `PERMANENT_SESSION_LIFETIME` configured in Flask's app config (e.g., `app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=30)`) is used by Flask-Session to set the expiration time for the *server-side session data*, not just the client-side cookie. This applies regardless of whether `SESSION_PERMANENT` is set to `True` or `False`. [2, 10]","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-06T00:00:00.000Z","next_check":"2026-07-05T00:00:00.000Z"}