orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

set Vary: Cookie header consistently for session

Browse source
This commit is contained in:
David Lord 2023-05-01 08:01:32 -07:00
parent a6367dac74
commit 8646edca6f
No known key found for this signature in database
GPG key ID: 7A1C87E3F5BC42A8
3 changed files with 30 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGES.rst
View file

@ -4,6 +4,7 @@ Version 2.2.5
Unreleased Unreleased
- Update for compatibility with Werkzeug 2.3.3. - Update for compatibility with Werkzeug 2.3.3.
- Set ``Vary: Cookie`` header when the session is accessed, modified, or refreshed.
Version 2.2.4 Version 2.2.4

10
src/flask/sessions.py
View file

@ -383,6 +383,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite = self.get_cookie_samesite(app) samesite = self.get_cookie_samesite(app)
httponly = self.get_cookie_httponly(app) httponly = self.get_cookie_httponly(app)
# Add a "Vary: Cookie" header if the session was accessed at all.
if session.accessed:
response.vary.add("Cookie")
# If the session is modified to be empty, remove the cookie. # If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie. # If the session is empty, return without setting the cookie.
if not session: if not session:
@ -395,13 +399,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite=samesite, samesite=samesite,
httponly=httponly, httponly=httponly,
) )
response.vary.add("Cookie")
return return
# Add a "Vary: Cookie" header if the session was accessed at all.
if session.accessed:
response.vary.add("Cookie")
if not self.should_set_cookie(app, session): if not self.should_set_cookie(app, session):
return return
@ -417,3 +418,4 @@ class SecureCookieSessionInterface(SessionInterface):
secure=secure, secure=secure,
samesite=samesite, samesite=samesite,
) )
response.vary.add("Cookie")

23
tests/test_basic.py
View file

@ -560,6 +560,11 @@ def test_session_vary_cookie(app, client):
def setdefault(): def setdefault():
return flask.session.setdefault("test", "default") return flask.session.setdefault("test", "default")
@app.route("/clear")
def clear():
flask.session.clear()
return ""
@app.route("/vary-cookie-header-set") @app.route("/vary-cookie-header-set")
def vary_cookie_header_set(): def vary_cookie_header_set():
response = flask.Response() response = flask.Response()
@ -592,11 +597,29 @@ def test_session_vary_cookie(app, client):
expect("/get") expect("/get")
expect("/getitem") expect("/getitem")
expect("/setdefault") expect("/setdefault")
expect("/clear")
expect("/vary-cookie-header-set") expect("/vary-cookie-header-set")
expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
expect("/no-vary-header", None) expect("/no-vary-header", None)
def test_session_refresh_vary(app, client):
@app.get("/login")
def login():
flask.session["user_id"] = 1
flask.session.permanent = True
return ""
@app.get("/ignored")
def ignored():
return ""
rv = client.get("/login")
assert rv.headers["Vary"] == "Cookie"
rv = client.get("/ignored")
assert rv.headers["Vary"] == "Cookie"
def test_flashes(app, req_ctx): def test_flashes(app, req_ctx):
assert not flask.session.modified assert not flask.session.modified
flask.flash("Zap") flask.flash("Zap")