Building Data-Driven Web Apps with Flask and SQLAlchemy Transcripts
Chapter: User input and HTML forms
Lecture: Creating a user session (cookies)

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 Super close to having both login and register complete. In fact, they're doing everything except for remembering the user, logging us into a session.
0:09 So, the way we're going to do that is we're going to set a cookie. Now, setting cookies in Flask is quite easy, actually.
0:16 But combining that with a redirect and combining that with our little response helper makes it a tiny bit trickier.
0:22 So, we're going to see it takes a couple of steps to actually set the cookie in the response but no big deal. However, the other thing we want to do
0:29 is make sure that we can create a cookie that cannot be tampered with. Like, let's say they login and we say
0:34 well in the cookie, we're setting the user_id to 7. What is going to stop them from going and editing that and going, well actually the user_id is 92
0:44 or whatever, right? We don't want to change that and let them hack it so we're going to make these tamper-proof cookies which is pretty easy.
0:51 We can just use some hashing and validation but it's a little more involved than worth actually creating from scratch.
0:57 So I'm just going to create a new file over here. cookie_auth.py, like that. I'm going to drop some code in here
1:05 so let's go over here and just see what we've got. So we've got a function called set_auth which takes a Flask response
1:10 and what it's going to do is take a user_id and actually hash it up into a bunch of scrambled stuff. And then, it's going to actually go over here
1:19 and set the value like 7 or 85 I guess is my user_id now and I registered. But then also, this other scrambled thing
1:27 very much like our password thing we just did to say, This is the validation of that. So you could theoretically change that
1:34 but you won't know what to change this to so the system will still think the integrity is there. All right, so we're adding this like super something
1:43 super simple in terms of this hash. Change it a little bit, do a quick hash on it and throw that back. Then what we're going to do is
1:50 we're just going to go and either set the cookie by name, age and then we're going to say it's going to time out
1:55 after 30 days. You could make this whatever you want. And then what we're going to do is like when they come back
2:01 we'll ask what the user_id is based on inbound cookies 'cause the browser will roundtrip them. So we split that apart.
2:07 We get the user_id and the validation and then we just verify that it was not tampered with and we do this little convert to integer
2:15 and either we get nothing or we get a nice user_id back. So optional event. Whoo! All that makes this sound like a lot.
2:23 Using it turns out to be super simple. Here we go We're going to go down here and use our cookie off. So where it says you need to set a login here
2:31 we're going to say cookie off, set off. Now, here's where it gets a little tricker because we're doing a redirect and whatnot.
2:40 So, sure we can set it, but we have to provide a response. Well, the user_id is just user_id. That's simple, but how do we get the response?
2:50 Well, what we want to do is create a response that will redirect us over this place, like here. Actually, possibly we could do it like this.
3:03 Let's see if this is going to work for us. Try to put this as much together as possible and then down here, also in this one I'll do the same thing.
3:14 All right, let's give this a shot and see if it work. So, we're going to come over here and notice we're not logged in right now.
3:22 I'm going to come in and we're going to try to log in. Kind of do a quick test. The account doesn't exist. Use the right password.
3:30 All right, here we go. Awesome! Off it goes. Well, it looked like it logged in but did not actually get us the right thing
3:37 did not get us our cookies and so on. So we go over here and do a request and come back and look at just the HTML
3:49 Look at the cookies, Whoohoo! Look at that! There it is. 85 and then all that scrambled mess on the other side
3:56 that's actually good. That's the validation, right? Like, you couldn't figure out what it's supposed to be without seeing the code. Okay, super.
4:02 So it looks that's actually working. Now, what we need to do is just have our account understand that. This also makes it super easy to logout.
4:11 So I can come over here and say something to this effect here. When we log out, what we're going to do is we're going to redirect to maybe just home
4:20 and here, we're just going to go to log out. And log out simply deletes that cookie from the response.
4:27 So, it sends the message back to the browser like Hey, your job is to delete this so we'll able to go and log out and I think that pretty much does it
4:35 but let's go over here and do a quick test. I have user_id, cookie_auth.get_user_id_via_auth_cookiee. flask.request.
4:49 So it's going to come in and then we can say we can check for it we can say user equals user service. We have find user by email
4:58 but we don't have one for by id, yet. Super easy to write, as you will see. I'll say, "If user, if not user we need to return a flask.abort
5:12 forward to /account/login, right. So if you come in and you're not logged in for our cookie, then you have to go login.
5:20 Otherwise, we're going to return. User is just going to be that user. So we can say something like, Hey, welcome so-and-so
5:28 but first this must be written. And its super easy. Sticks an int and it returns and optional of user, as many of these do.
5:39 You know what, it looks a whole lot like that. So were going to go and write this bit. So instead of email, I need ID, his double equals, user_id.
5:50 That's it. Now we just need to return user and we're all good. So right now, one more thing let's go ahead and just round this out.
5:58 By having our home page, no do this. Just say, Welcome your account. Something like that. So come over here, refresh it
6:12 look at that, Welcome to your account Micheal. If we go and we try to logout we don't have that written in terms of the navigation yet
6:19 we'll do that in a moment. Now we're logged out, we went home now if we try to go back to account work before and it says ohh strings not callable
6:26 oh whoops, I didn't mean abort I meant redirect to there. Here we go, and I didn't mess up the bottom did I? Redirect, redirect. No we're good, okay.
6:39 Sorry about that. So we come over here and we try to go to our account cause we've logged out, were does it take us?
6:46 Straight over to login cause we no longer have that cookie once we login again takes us over here, we now have the cookie Welcome to your account.
6:56 Do a quick logout and we'll be gone again and that's the flow. Super Easy. Final test, go back to account. Nope, there's no account, not yet.
7:06 Got to login. How cool is that. So we can create these tapper proof cookies and save them to the session
7:12 use them to drive or manage the session, within the browser.


Talk Python's Mastodon Michael Kennedy's Mastodon