orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Default SESSION_COOKIE_SAMESITE to "Lax"

Browse source 
Change the default value of SESSION_COOKIE_SAMESITE from None to
"Lax". When set to None, Flask does not include the SameSite
attribute on session cookies, relying on browser defaults.

While modern browsers default to Lax behavior when the attribute is
absent, setting it explicitly ensures consistent CSRF defense across
all browser versions, including older ones that do not apply the Lax
default.

Django has defaulted to "Lax" since 2.1 (2018). This aligns Flask
with the ecosystem standard.

Applications that require cross-site cookie behavior can set
SESSION_COOKIE_SAMESITE to None (with SESSION_COOKIE_SECURE=True).
This commit is contained in:
Koda Reef 2026-03-22 23:51:28 +00:00
parent 4cae5d8e41
commit 8342e68712
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/flask/app.py
View file

@ -221,7 +221,7 @@ class Flask(App):
"SESSION_COOKIE_HTTPONLY": True,
"SESSION_COOKIE_SECURE": False,
"SESSION_COOKIE_PARTITIONED": False,
"SESSION_COOKIE_SAMESITE": None,
"SESSION_COOKIE_SAMESITE": "Lax",
"SESSION_REFRESH_EACH_REQUEST": True,
"MAX_CONTENT_LENGTH": None,
"MAX_FORM_MEMORY_SIZE": 500_000,