flask-session | Server side session extension for Flask | Application Framework library

I've figured it out.
Obviously you can't run flask.request.environ.get('REMOTE_ADDR') before the request, even with @app.before_request.
So, to identify sessions (Redis key names) and assign them to app users (so I know which session/key belongs to which user) my app now writes Flask-Session SID along with the logged in username to the Apache error.log:

This is not related to Flask-SocketIO, but to Flask. The background task that you started does not have request and application contexts, so it does not have access to the session (it doesn't even know who the client is).

Flask provides the copy_current_request_context decorator duplicate the request/app contexts from the request handler into a background task.

The example from the Flask documentation uses gevent.spawn() to start the task, but this would be the same for a task started with start_background_task().

The secret key is actually being set, but is not set within the main api/.py that is being called on runtime. Moving the secret key import into the .py file being directly called on runtime resolved this issue.

Searching for the exception, leads to the corresponding eventlet issue: https://github.com/eventlet/eventlet/issues/687

The summary is that eventlet (0.32.0) is currently not compatible with Python 3.10 because it tries to patch types that have become immutable in Python 3.10.

Like with your requirements, it is good practice to be more specific with your Docker dependencies too. Today using the tag 3 for the Python Docker image will give you 3.10.0, unless it is using a cache. In the future it could be a different version. Since there is a compatibility issue with Python 3.10, use Python 3.9 - the currently latest Python 3.9 Docker tag is 3.9.7.

i.e. it should work once you change your first line of the Dockerfile to:

If you have a look for the base image, you could see it just be updated 27hours ago.

I'm sorry but you have been misled. Using Flask-SocketIO just so that you can be notified when a person leaves your site is extremely overkill, and as you've seen, it doesn't even work for your purposes.

If you want to know why you can't make changes to the user session from a Socket.IO event handler the reason is that Flask-SocketIO uses WebSocket. The user session is maintained in a cookie, which can only be modified in a server response to an HTTP request initiated by the client. WebSocket has no ability to modify cookies.

So I would forget about using Flask-SocketIO for this. it's really not one of its use cases.

Instead, I suggest you look into adding a beforeunload event in your page, where you can delete the session cookie directly in the client. For this to work you will also need to set the SESSION_COOKIE_HTTPONLY configuration option to Flask, so that JavaScript in your page can see, modify and delete the cookie. Note that this may have security implications, so think about it very carefully before doing it.

Use Dotenv package

Trying to answer it to the best of my knowledge.

1) Why is the content not encrypted?

You do not really need to worry about the session stored in your server as long as your server is secured. The vulnerability is the session stored as cookies in the browser. To bypass that, the 'SECRET_KEY' is used to let the server sign the session variables before storing them in the browser. That is the reason why you might still see the session in plain text on the server. It will be signed in the browser cookie-data though.

2) When I do session.pop() why is the file not deleted?

To understand what the session.pop does, I did a little exercise. At first, my flask session looked like this:

There appears to be some backward compatibility issues with SocketIO. You can uninstall python-engineio, python-socketio (and Flask-SocketIO just to be on the safe side) and reinstall lower versions.

The combination that worked for me was: