fix: enable strong session protection by default

[dpgaspar]

SUMMARY

Enable strong session protection by default. This is a more secure sane default, more details on: https://flask-login.readthedocs.io/en/latest/#session-protection

When session protection is active, each request, it generates an identifier for the user’s computer (basically, a secure hash of the IP address and user agent). If the session does not have an associated identifier, the one generated will be stored. If it has an identifier, and it matches the one generated, then the request is OK.
If the identifiers do not match in basic mode, or when the session is permanent, then the session will simply be marked as non-fresh, and anything requiring a fresh login will force the user to re-authenticate. (Of course, you must be already using fresh logins where appropriate for this to have an effect.)
If the identifiers do not match in strong mode for a non-permanent session, then the entire session (as well as the remember token if it exists) is deleted.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #24256 (bf82cbc) into master (d1c57e0) will decrease coverage by 0.09%.
The diff coverage is 100.00%.

❗ Current head bf82cbc differs from pull request most recent head 93367ef. Consider uploading reports for the commit 93367ef to get more accurate results

@@            Coverage Diff             @@
##           master   #24256      +/-   ##
==========================================
- Coverage   68.31%   68.22%   -0.09%     
==========================================
  Files        1957     1957              
  Lines       75596    75597       +1     
  Branches     8222     8222              
==========================================
- Hits        51640    51576      -64     
- Misses      21848    21913      +65     
  Partials     2108     2108              

Flag	Coverage Δ
hive	?
mysql	78.92% <100.00%> (+<0.01%)	⬆️
postgres	78.99% <100.00%> (+<0.01%)	⬆️
presto	53.29% <100.00%> (+<0.01%)	⬆️
python	82.64% <100.00%> (-0.18%)	⬇️
sqlite	77.53% <100.00%> (+<0.01%)	⬆️
unit	53.42% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset-frontend/src/components/Table/index.tsx	75.29% <ø> (ø)
superset-frontend/src/dashboard/types.ts	100.00% <ø> (ø)
...set-frontend/src/dashboard/util/permissionUtils.ts	86.66% <ø> (ø)
...perset-frontend/src/hooks/apiResources/queryApi.ts	100.00% <ø> (ø)
superset/config.py	92.02% <100.00%> (+0.02%)	⬆️

... and 4 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[michael-s-molina]

Do you think it's worth adding something to UPDATING.md?

[dpgaspar]

I think so, more is better then less

[michael-s-molina]

LGTM

[villebro]

LGTM

[virgofx]

Just an FYI - With session protection strong, this breaks selenium drivers connecting to app (which means things like cache warmup and thumbnails don't work). I had to revert to none which worked but didn't test basic. There may be some additional work here to update the machine auth function to properly work when this is enabled

[mapledan]

I am facing the same issue where the Alert&Report are not working properly.
To resolve this issue, I need to configure the SESSION_PROTECTION to None.

Just an FYI - With session protection strong, this breaks selenium drivers connecting to app (which means things like cache warmup and thumbnails don't work). I had to revert to none which worked but didn't test basic. There may be some additional work here to update the machine auth function to properly work when this is enabled

[sfirke]

Alerts & Reports works for me with SESSION_PROTECTION = "basic".

"strong" prevented me from logging in entirely, so I couldn't test Alerts & Reports with that value.

[dpgaspar]

ok, thank you for the reports, I'll work on a fix for this