Merge pull request #4486 from uedvt359/pr-deletecookie

Preserve HttpOnly flag when deleting session cookie
2022-03-15 06:38:35 -07:00 · 2022-03-15 06:38:35 -07:00 · 0ef1e65f6a
commit 0ef1e65f6a
parent b655a9db30 b707bf443a
2 changed files with 9 additions and 2 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -45,6 +45,8 @@ Unreleased
 -   When using lazy loading (the default with the debugger), the Click
    context from the ``flask run`` command remains available in the
    loader thread. :issue:`4460`
+-   Deleting the session cookie uses the ``httponly`` flag.
+    :issue:`4485`


 Version 2.0.3
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@ -383,13 +383,19 @@ class SecureCookieSessionInterface(SessionInterface):
        path = self.get_cookie_path(app)
        secure = self.get_cookie_secure(app)
        samesite = self.get_cookie_samesite(app)
+        httponly = self.get_cookie_httponly(app)

        # If the session is modified to be empty, remove the cookie.
        # If the session is empty, return without setting the cookie.
        if not session:
            if session.modified:
                response.delete_cookie(
-                    name, domain=domain, path=path, secure=secure, samesite=samesite
+                    name,
+                    domain=domain,
+                    path=path,
+                    secure=secure,
+                    samesite=samesite,
+                    httponly=httponly,
                )

            return
@ -401,7 +407,6 @@ class SecureCookieSessionInterface(SessionInterface):
        if not self.should_set_cookie(app, session):
            return

-        httponly = self.get_cookie_httponly(app)
        expires = self.get_expiration_time(app, session)
        val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore
        response.set_cookie(