From 4a1766c252bac0de1368cc4eaefba1299f77d546 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89loi=20Rivard?= Date: Mon, 15 Apr 2024 18:28:25 +0200 Subject: [PATCH] document caveats on SESSION_COOKIE_DOMAIN Changing this value might result in browsers with several competing session cookies. In that situation there is no guarantee of which one will be sent first, and be used as the session cookie. --- docs/config.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/config.rst b/docs/config.rst index 7828fb92..732cfd30 100644 --- a/docs/config.rst +++ b/docs/config.rst @@ -142,6 +142,12 @@ The following configuration values are used internally by Flask: Default: ``None`` + .. warning:: + If this is changed after the browser created a cookie is created with + one setting, it may result in another being created. Browsers may send + send both in an undefined order. In that case, you may want to change + :data:`SESSION_COOKIE_NAME` as well or otherwise invalidate old sessions. + .. versionchanged:: 2.3 Not set by default, does not fall back to ``SERVER_NAME``.