maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

include samesite and secure when removing session cookie (#3726)

Browse source
This commit is contained in:
Mathurshan Vimalesvaran 2020-11-04 21:16:05 -05:00 committed by GitHub
parent 7a444c5dab
commit 22987b6817
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CHANGES.rst
View file

@ -42,6 +42,8 @@ Unreleased
attributes just like ``Flask``, rather than opaque lambda functions. attributes just like ``Flask``, rather than opaque lambda functions.
This is intended to improve consistency and maintainability. This is intended to improve consistency and maintainability.
:issue:`3215` :issue:`3215`
- Include ``samesite`` and ``secure`` options when removing the
session cookie. :pr:`3726`
Version 1.1.x Version 1.1.x

8
src/flask/sessions.py
View file

@ -351,12 +351,16 @@ class SecureCookieSessionInterface(SessionInterface):
name = self.get_cookie_name(app) name = self.get_cookie_name(app)
domain = self.get_cookie_domain(app) domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app) path = self.get_cookie_path(app)
secure = self.get_cookie_secure(app)
samesite = self.get_cookie_samesite(app)
# If the session is modified to be empty, remove the cookie. # If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie. # If the session is empty, return without setting the cookie.
if not session: if not session:
if session.modified: if session.modified:
response.delete_cookie(name, domain=domain, path=path) response.delete_cookie(
name, domain=domain, path=path, secure=secure, samesite=samesite
)
return return
@ -368,8 +372,6 @@ class SecureCookieSessionInterface(SessionInterface):
return return
httponly = self.get_cookie_httponly(app) httponly = self.get_cookie_httponly(app)
secure = self.get_cookie_secure(app)
samesite = self.get_cookie_samesite(app)
expires = self.get_expiration_time(app, session) expires = self.get_expiration_time(app, session)
val = self.get_signing_serializer(app).dumps(dict(session)) val = self.get_signing_serializer(app).dumps(dict(session))
response.set_cookie( response.set_cookie(

13
tests/test_basic.py
View file

@ -322,6 +322,19 @@ def test_session_using_session_settings(app, client):
assert "httponly" not in cookie assert "httponly" not in cookie
assert "samesite" in cookie assert "samesite" in cookie
@app.route("/clear")
def clear():
flask.session.pop("testing", None)
return "Goodbye World"
rv = client.get("/clear", "http://www.example.com:8080/test/")
cookie = rv.headers["set-cookie"].lower()
assert "session=;" in cookie
assert "domain=.example.com" in cookie
assert "path=/" in cookie
assert "secure" in cookie
assert "samesite" in cookie
def test_session_using_samesite_attribute(app, client): def test_session_using_samesite_attribute(app, client):
@app.route("/") @app.route("/")