From 1bb087d91c89522e4b6b8e51af6dae4f8a4d994d Mon Sep 17 00:00:00 2001 From: Odio Marcelino Date: Sun, 29 Jun 2025 23:01:52 +0600 Subject: [PATCH] Fix session cookie path resolution What was fixed `SessionInterface.get_cookie_path` could return `None` when both `SESSION_COOKIE_PATH` and `APPLICATION_ROOT` were unset, causing the session cookie to be scoped only to the current request path and breaking session persistence across routes. ### How it was fixed The method now: 1. Checks `SESSION_COOKIE_PATH`. 2. Falls back to `APPLICATION_ROOT`. 3. Defaults to `/` if both are `None`. This guarantees the session cookie is always issued with a valid path, ensuring reliable session handling throughout the application. Co-Authored-By: S. M. Mohiuddin Khan Shiam <147746955+mohiuddin-khan-shiam@users.noreply.github.com> --- src/flask/sessions.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/flask/sessions.py b/src/flask/sessions.py index 0a357d9e..74a91764 100644 --- a/src/flask/sessions.py +++ b/src/flask/sessions.py @@ -204,7 +204,18 @@ class SessionInterface: config var if it's set, and falls back to ``APPLICATION_ROOT`` or uses ``/`` if it's ``None``. """ - return app.config["SESSION_COOKIE_PATH"] or app.config["APPLICATION_ROOT"] # type: ignore[no-any-return] + rv = app.config["SESSION_COOKIE_PATH"] + + # If SESSION_COOKIE_PATH is not set, fall back to APPLICATION_ROOT. If + # that is also ``None`` (the default), use ``/`` so that the cookie is + # valid for the whole application rather than only the current request + # path. A ``None`` path would otherwise limit the session cookie to the + # path that set it, which breaks session persistence between different + # routes. + if rv is None: + rv = app.config["APPLICATION_ROOT"] or "/" + + return rv # type: ignore[no-any-return] def get_cookie_httponly(self, app: Flask) -> bool: """Returns True if the session cookie should be httponly. This