Preserve HttpOnly flag when deleting session cookie

fixes #4485
2022-03-15 10:22:38 +01:00 · 2022-03-15 10:22:38 +01:00 · b707bf443a
commit b707bf443a
parent b655a9db30
2 changed files with 9 additions and 2 deletions
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@ -383,13 +383,19 @@ class SecureCookieSessionInterface(SessionInterface):
        path = self.get_cookie_path(app)
        secure = self.get_cookie_secure(app)
        samesite = self.get_cookie_samesite(app)
+        httponly = self.get_cookie_httponly(app)

        # If the session is modified to be empty, remove the cookie.
        # If the session is empty, return without setting the cookie.
        if not session:
            if session.modified:
                response.delete_cookie(
-                    name, domain=domain, path=path, secure=secure, samesite=samesite
+                    name,
+                    domain=domain,
+                    path=path,
+                    secure=secure,
+                    samesite=samesite,
+                    httponly=httponly,
                )

            return
@ -401,7 +407,6 @@ class SecureCookieSessionInterface(SessionInterface):
        if not self.should_set_cookie(app, session):
            return

-        httponly = self.get_cookie_httponly(app)
        expires = self.get_expiration_time(app, session)
        val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore
        response.set_cookie(