Jump to solution
Details

flask Secret Key Rotation (Fix)

Fixed
Spec
Package
flask
Fixed In
3.1.0
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.74
#5428 ai security Idempotency Violation Updated: 2026-02-13
Issue #5428

The Fix

Upgrade to version 3.1.0 or later.

Based on closed pallets/flask issue #5428 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Open PR/Commit
@@ -20,6 +20,9 @@ Unreleased ``load_dotenv`` loads default files in addition to a path unless ``load_defaults=False`` is passed. :issue:`5628` +- Support key rotation with the ``SECRET_KEY_FALLBACKS`` config, a list of old + secret keys that can still be used for unsigning. Extensions will need to + add support. :issue:`5621`
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 3.1.0 or later.\nWhen NOT to use: This fix should not be used if session invalidation is required upon key change.\n\n

Why This Fix Works in Production

  • Trigger: Developers cannot rotate secret keys without invalidating active sessions.
  • Mechanism: The lack of support for secret key rotation in Flask's session management
  • Why the fix works: Enables secret key rotation by introducing a new configuration option, SECRET_KEY_FALLBACKS, allowing developers to manage old keys for unsigning sessions. (first fixed release: 3.1.0).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • The lack of support for secret key rotation in Flask's session management
  • Production symptom (often without a traceback): Developers cannot rotate secret keys without invalidating active sessions.

Proof / Evidence

  • GitHub issue: #5428
  • Fix PR: https://github.com/pallets/flask/pull/5632
  • First fixed release: 3.1.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.74

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Same previously closed discussions still apply.”
@davidism · 2024-03-01 · source

Failure Signature (Search String)

  • Developers cannot rotate secret keys without invalidating active sessions.
Copy-friendly signature
signature.txt
Failure Signature ----------------- Developers cannot rotate secret keys without invalidating active sessions.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Developers cannot rotate secret keys without invalidating active sessions.

What Broke

Developers cannot rotate secret keys without invalidating active sessions.

Why It Broke

The lack of support for secret key rotation in Flask's session management

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

Upgrade to version 3.1.0 or later.

When NOT to use: This fix should not be used if session invalidation is required upon key change.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

  • Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
  • Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
  • Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly import os once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True) # Stable idempotency key per real side-effect. # Use a request id / job id / webhook delivery id / Stripe event id, etc. event_id = "evt_..." # replace key = f"stripe:webhook:{event_id}" res = once.check_lock(key=key, ttl=3600) if res.duplicate: return {"status": "already_processed"} # Safe to execute the side-effect exactly once. handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/pallets/flask/pull/5632

First fixed release: 3.1.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be used if session invalidation is required upon key change.
  • Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
3.1.0 Fixed

Related Issues

No related fixes found.

Cluster: flask:configuration-error All hubs All clusters
Related clusters: Data consistency Other Duplicate processing

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #5428. Not affiliated with the library maintainers. Verify before production use.