Session Timeout Test

on timeout functionality in the Flask app. The session timeout is set to 5000 days for demonstration purposes. Seesions with long expiration or no expiration times increase the risk that someone else might access the account on the same computer or even steal the session token and compromise the account.

This page provides instructions for testing stealing a session token.

Steps to Test Session Timeout:

Enter a valid username and password (user1/password1):

After logging in, you will be redirected to the Dashboard.

Refresh the Dashboard page or navigate to another page within the app.

Look at the network call to the /dashboard endpoint (hint, use Chrome debugging tools). Note that in the Cookie header value there is a session token. Copy the GET curl command for /dashboard


    curl 'http://127.0.0.1:5000/dashboard' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Cache-Control: max-age=0' \
  -H 'Connection: keep-alive' \
  -H 'Cookie: session=eyJ1c2VybmFtZSI6InVzZXIxIn0.ZZRmyg.zKOnmV6Z7Nj46QR8hjAbuNZYV90' \
  -H 'Referer: http://127.0.0.1:5000/' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --compressed

Paste the curl and run it in a terminal. You full access to this users account now without having to know the password. In other words, you can run this command from any computer in the world that can reach the application:


            Welcome, user1! This is your dashboard.