I have a Flask application hosted on Heroku, and the Heroku instance (say, "helloworld.herokuapp.com") has a custom domain name, say "www.helloworld.com".
When I access the app at the native heroku URL, sessions work perfectly fine. When I access it at www.helloworld.com, they don't work. I assume that this is because the session cookie that Flask is signing is for the wrong domain.
I tried assigning app.SESSION_COOKIE_DOMAIN and app.SERVER_NAME to 'helloworld.com', but it still only signs the session cookies for helloworld.herokuapp.com.
Is there any way I can force the session cookies to sign as my custom domain?
After much testing and many permutations of SESSION_COOKIE_DOMAIN and SERVER_NAME, I concluded that the problem was with Heroku. Something about the way Heroku currently routes/hooks up to custom domains breaks domain cookies.
I verified this by moving to EC2...now everything works.
Related
I'm trying to follow this tutorial to create a Flask Application that authenticate a user registered in Firebase and manage his session through the token id.
The problem is that the /sessionLogin route seems to work only when is invoked with a GET request (and not POST as in the tutorial), otherwise it doesn't set the cookies on the browser (I'm using Chrome 90.0).
Any idea why it doesn't work? Thanks
I've created a shopping site with a backend and a frontend.
The backend is python (3.6.5) with Flask.
I want to deploy my site to Google App Engine (gae).
When in development, everything works fine.
When deployed (in production) each rpc gets it's own 'thread' and everything is a mess.
I tried slapping gunicorn on it with sync and gevent worker class, but to no avail.
In deployment, how can I make each connection/session remember it's own 'instance of the backend'?
-instead of gae/flask/gunicorn serving a new instance of the backend for each request?
I need each user connection to be consistent and 'its own'/'private'.
It's not possible to do this. App Engine will spread the request load to your application across all instances, regardless of which one previously handled a request from a specific IP. A specific instance may also come online or go offline due to load or underlying changes to App Engine (e.g., a data center needs maintenance).
If you need to maintain session state between multiple requests to your app, you have a couple options depending on the architecture:
Keep session state in cookies with Flask.session
Keep session state in storage with Memorystore
I am trying to set up a subdomain on a flask server, which has a server hosted on Heroku and a custom domain hosted on GoDaddy. I have verified that my subdomain is working locally. The subdomain is a separate blueprint in my app. My setup in flask is:
blueprint = Blueprint('blueprint', __name__, template_folder="templates", subdomain="blueprint")
#blueprint.route('/')
def index():
return "Hello Mate"
and then
app.config['SERVER_NAME'] = os.environ['MY_SERVER_NAME']
from blueprint.views import blueprint
app.register_blueprint(blueprint)
On my local machine, I set up a custom record in my hosts file (/etc/hosts) to test the subdomain. The file has the entries:
127.0.0.1 virtual.local
127.0.0.1 blueprint.virtual.local
If I navigate to blueprint.virtual.local:5000, I see the intended result (a page that just says Hello Mate. I believe this proves my subdomain settings are set up properly, at least within flask.
I push my code to my heroku app, and this is where I start running into problems. My heroku site has a custom domain associated with it from before. I start by adding an entry for the new subdomain. Running heroku domains in the terminal gives me:
=== myapp Domain Names
blueprint.mysite.com
www.mysite.com
myapp.herokuapp.com
mysite.com
The first issue I am running into is that I can only either view my site on the heroku URL or the custom domain. This is a result of app.config['SERVER_NAME'] (which I set to get my subdomain working) being linked to either the heroku URL or my custom URL. When it is set to the heroku URL, I can only see the site when I visit it at that URL, and when I go to my custom domain, I get a 404 error. This is reversed when I switch the value of the SERVER_NAME.
The second issue is that I cannot get my subdomain to work with GoDaddy on Heroku. In GoDaddy, I create a CNAME record that points my subdomain (blueprint) to my heroku site (myapp.herokuapp.com). Is this correct? I get a 404 error whenever I visit the subdomain on my custom domain (blueprint.mysite.com). I believe this is related to the first issue, but I am not sure. Am I missing any steps?
Any advice on the proper way to set this up, so that I can use Flask subdomains on Heroku, being hosted on a custom domain on GoDaddy? Thanks in advance!
I suspect you're confusing Flask Blueprints and Heroku apps. A flask app (and its containing git repository, in this case) is one and only one Heroku app (a single domain, or subdomian... but crucially, only one of them).
A Flask Blueprint is a way of organizing individual sections of a single Flask app to be more modular.
To create Heroku Apps at awesome.darrellsilver.com and sauce.darrellsilver.com you should set up two independent Flask Apps, in two independent Git repos.
For what it is worth, I had 404 issues when I switched to an SSL endpoint using Flask on Heroku. All I had to do was change the app.config "SERVER_NAME" to the new "www.CUSTOMENDPOINTNAME.com" address from the "CUSTOMENDPOINTNAME.herokuapp.com" which was there previously.
I have two development servers written with Python/Django - one API server(it's not solely an API server; it has UI and etc.), and another one is a demo app used to serve data by communicating to the API server. I invoke the demo app with iframe in the API server. After successfully getting response from the demo app, the original user session of the API server is lost(supposed to have two sessions -- one from the user of the API server, one from communication between the demo app and the API server).
Any idea what happened?
If you are running both on the same server, the session cookie might be overwritten since they both expect a sessionid cookie. If a sessionid doesn't exist a new one is generated, so when you access the outer app, you get a sessionid cookie, and that gets passed to the iframe app which doesn't recognize it and generates a new one. Try giving each app it's own unique SESSION_COOKIE_NAME
I've recently deployed a Flask app on Heroku. It provides an API on top of an existing API and requires a confidential API key for the original service from the user. The app is really just a few forms, the values of which are passed with ajax to a specific URL on the server. Nothing fancy. I take steps to not store confidential information in the app and want no traces of it anywhere within the app.
Looking at the logs from heroku logs --source heroku, the heroku router process stores all HTTP requests for the app, including those requests that include the confidential information.
Is there a way to specify the log format for the heroku process so as to not store the URL served?
As other commenters mentioned, it is a bad practice to put confidential info in a URL. These could get cached or logged by a number of systems (e.g. routers, proxy servers, caches) on the roundtrip to the server. There are a couple ways to solve this:
Put them in a the Authorization header. This is probably the most common way authentication is handled for REST-based APIs.
Put them in the POST body. This works to get it out of the URL, but is a little weird semantically to say that your are POSTing the credentials to some resource (if this a REST API), unless it is a login call.