Handle missing secret key during session save

2026-03-27 11:28:04 +00:00 · 2026-03-27 11:28:04 +00:00 · b00c66248d
commit b00c66248d
parent 7ef2946fb5
2 changed files with 28 additions and 6 deletions
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@ -13,6 +13,12 @@ from werkzeug.datastructures import CallbackDict

 from .json.tag import TaggedJSONSerializer

+_missing_secret_key_err_msg = (
+    "The session is unavailable because no secret "
+    "key was set.  Set the secret_key on the "
+    "application to something unique and secret."
+)
+
 if t.TYPE_CHECKING:  # pragma: no cover
    import typing_extensions as te

@ -87,11 +93,7 @@ class NullSession(SecureCookieSession):
    """

    def _fail(self, *args: t.Any, **kwargs: t.Any) -> t.NoReturn:
-        raise RuntimeError(
-            "The session is unavailable because no secret "
-            "key was set.  Set the secret_key on the "
-            "application to something unique and secret."
-        )
+        raise RuntimeError(_missing_secret_key_err_msg)

    __setitem__ = __delitem__ = clear = pop = popitem = update = setdefault = _fail
    del _fail
@ -370,7 +372,12 @@ class SecureCookieSessionInterface(SessionInterface):
            return

        expires = self.get_expiration_time(app, session)
-        val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore[union-attr]
+        s = self.get_signing_serializer(app)
+
+        if s is None:
+            raise RuntimeError(_missing_secret_key_err_msg)
+
+        val = s.dumps(dict(session))
        response.set_cookie(
            name,
            val,
--- a/tests/test_session_interface.py
+++ b/tests/test_session_interface.py
@ -1,3 +1,5 @@
+import pytest
+
 import flask
 from flask.globals import app_ctx
 from flask.sessions import SessionInterface
@ -26,3 +28,16 @@ def test_open_session_with_endpoint():

    response = app.test_client().get("/")
    assert response.status_code == 200
+
+
+def test_save_session_without_secret_key(app):
+    app.secret_key = "test key"
+    session = app.session_interface.session_class({"foo": "bar"})
+    session.modified = True
+    app.secret_key = None
+
+    with pytest.raises(RuntimeError) as e:
+        app.session_interface.save_session(app, session, app.response_class())
+
+    assert e.value.args and "session is unavailable" in e.value.args[0]
+    assert "no secret key was set" in e.value.args[0]