Chop of ports for session cookies. This fixes #253

flask/app.py

@@ -602,7 +602,8 @@ class Flask(_PackageBoundObject):
         if session.permanent:
             expires = datetime.utcnow() + self.permanent_session_lifetime
         if self.config['SERVER_NAME'] is not None:
-            domain = '.' + self.config['SERVER_NAME']
+            # chop of the port which is usually not supported by browsers
+            domain = '.' + self.config['SERVER_NAME'].rsplit(':', 1)[0]
         session.save_cookie(response, self.session_cookie_name,
                             expires=expires, httponly=True, domain=domain)
 

tests/flask_tests.py

@@ -306,6 +306,20 @@ class BasicFunctionalityTestCase(unittest.TestCase):
         assert 'domain=.example.com' in rv.headers['set-cookie'].lower()
         assert 'httponly' in rv.headers['set-cookie'].lower()
 
+    def test_session_using_server_name_and_port(self):
+        app = flask.Flask(__name__)
+        app.config.update(
+            SECRET_KEY='foo',
+            SERVER_NAME='example.com:8080'
+        )
+        @app.route('/')
+        def index():
+            flask.session['testing'] = 42
+            return 'Hello World'
+        rv = app.test_client().get('/', 'http://example.com:8080/')
+        assert 'domain=.example.com' in rv.headers['set-cookie'].lower()
+        assert 'httponly' in rv.headers['set-cookie'].lower()
+
     def test_missing_session(self):
         app = flask.Flask(__name__)
         def expect_exception(f, *args, **kwargs):