New Feature: Added Support for cookie's SameSite attribute.

2018-01-23 13:57:50 +00:00 · 2018-01-23 13:57:50 +00:00 · a1d9ebe4ab
commit a1d9ebe4ab
parent 22708b048d
5 changed files with 61 additions and 4 deletions
--- a/flask/app.py
+++ b/flask/app.py
@ -284,6 +284,7 @@ class Flask(_PackageBoundObject):
        'SESSION_COOKIE_PATH':                  None,
        'SESSION_COOKIE_HTTPONLY':              True,
        'SESSION_COOKIE_SECURE':                False,
+        'SESSION_COOKIE_SAMESITE':              None,
        'SESSION_REFRESH_EACH_REQUEST':         True,
        'MAX_CONTENT_LENGTH':                   None,
        'SEND_FILE_MAX_AGE_DEFAULT':            timedelta(hours=12),
--- a/flask/sessions.py
+++ b/flask/sessions.py
@ -249,6 +249,13 @@ class SessionInterface(object):
        """
        return app.config['SESSION_COOKIE_SECURE']

+    def get_cookie_samesite(self, app):
+        """Returns "Strict", "Lax" or None if the cookie should use
+        samesite attribute.  This currently just returns the value of
+        the ``SESSION_COOKIE_SAMESITE`` setting.
+        """
+        return app.config['SESSION_COOKIE_SAMESITE']
+
    def get_expiration_time(self, app, session):
        """A helper method that returns an expiration date for the session
        or ``None`` if the session is linked to the browser session.  The
@ -362,6 +369,7 @@ class SecureCookieSessionInterface(SessionInterface):

        httponly = self.get_cookie_httponly(app)
        secure = self.get_cookie_secure(app)
+        samesite = self.get_cookie_samesite(app)
        expires = self.get_expiration_time(app, session)
        val = self.get_signing_serializer(app).dumps(dict(session))
        response.set_cookie(
@ -371,5 +379,6 @@ class SecureCookieSessionInterface(SessionInterface):
            httponly=httponly,
            domain=domain,
            path=path,
-            secure=secure
+            secure=secure,
+            samesite=samesite
        )