orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

set Vary: Cookie header consistently for session

Browse source
This commit is contained in:
David Lord 2023-05-01 08:01:32 -07:00
parent 9532cba45d
commit 8705dd39c4
No known key found for this signature in database
GPG key ID: 7A1C87E3F5BC42A8
2 changed files with 29 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/flask/sessions.py
View file

@ -329,6 +329,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite = self.get_cookie_samesite(app)
httponly = self.get_cookie_httponly(app)
# Add a "Vary: Cookie" header if the session was accessed at all.
if session.accessed:
response.vary.add("Cookie")
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
@ -341,13 +345,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite=samesite,
httponly=httponly,
)
response.vary.add("Cookie")
return
# Add a "Vary: Cookie" header if the session was accessed at all.
if session.accessed:
response.vary.add("Cookie")
if not self.should_set_cookie(app, session):
return
@ -363,3 +364,4 @@ class SecureCookieSessionInterface(SessionInterface):
secure=secure,
samesite=samesite,
)
response.vary.add("Cookie")