Skip to content
unfault

python.flask.session_timeout

Security Medium

Detects Flask apps without session timeout configuration.

Why It Matters

Section titled “Why It Matters”

No session timeout:

  • Session hijacking — Stolen sessions valid forever
  • Compliance issues — Many regulations require timeout
  • Resource waste — Old sessions consume memory

Example

Section titled “Example”
# ❌ Before (no timeout)
app = Flask(__name__)
app.secret_key = 'secret'
# Sessions never expire!
# ✅ After (with session timeout)
from datetime import timedelta


app = Flask(__name__)
app.secret_key = os.environ['FLASK_SECRET_KEY']
app.permanent_session_lifetime = timedelta(hours=1)


@app.before_request
def make_session_permanent():
    session.permanent = True

What Unfault Detects

Section titled “What Unfault Detects”
  • Missing permanent_session_lifetime
  • Very long session lifetimes
  • No session expiration logic
Section titled “Related Rules”