Comments (7)
azmeuk
commented on May 2, 2024
1
I can think of the Configuration Handling > SESSION_COOKIE_DOMAIN section, or in the Security > Set-Cookie Options section indeed.
I would expect to read this more on the configuration I think. As you want.
from flask.
davidism
commented on May 2, 2024
I am confident that we are currently doing the right thing with cookie domain. I spent a long time looking through the relevant current specs and browser behavior when reviewing that code last year.
Given the current way browsers handle cookies, it is less secure to set the domain property than to leave it unset. You're seeing the result of the two different behaviors here. When you set a domain, the cookie is valid for that and all subdomains. When you don't set a domain, the browser makes it valid only for the domain that requested it. When both cookies are set, the browser has to pick one to send first.
from flask.
davidism
commented on May 2, 2024
You can attempt to issue an few extra response.delete_cookie calls for each setting on some response, but beyond that we can't really affect what the browser stores and sends if you start sending it different overlapping things at different times.
from flask.
azmeuk
commented on May 2, 2024
When both cookies are set, the browser has to pick one to send first.
Does Flask has to pick the first one sent by the browser, or would it make sense for Flask to use the cookie with the most suitable domain, if that information is ever available?
You can attempt to issue an few extra response.delete_cookie calls for each setting on some response
response.delete_cookie("session", "flask.localhost") works, but response.delete_cookie("session", ".flask.localhost") does not, whatever the value of SESSION_COOKIE_DOMAIN.
from flask.
davidism
commented on May 2, 2024
The domain information is not present in the Cookie request header, it is only key=value.
A leading dot is irrelevant in modern browsers, it's equivalent to the same domain without the dot. So both those calls are the same. The other call would be delete_cookie without the domain at all.
from flask.
azmeuk
commented on May 2, 2024
I see, thank you for your insight.
In the end I could solve the situation simply by abandoning both cookies by changing the SESSION_COOKIE_NAME.
I think this would be worth mentioning in the documentation though. Would you be OK if I write a little caveat paragraph about this?
from flask.
davidism
commented on May 2, 2024
Sure, but where? It might be mentioned in the Werkzeug API docs already. Maybe in the security section for the Flask docs?
from flask.
Related Issues (20)
- CHIPS support HOT 1
- The dependency specifiers are too relaxed HOT 3
- Route Aliases HOT 2
- Flask logging - Other libraries - FileHandler creates duplicate log entries HOT 11
- transfer-encoding: debug server behavior differs from test client HOT 1
- Keep code running after response has been sent. (To respond with HTTP requests to other servers) HOT 6
- Secret Key Rotation HOT 1
- @app.errorhandler() cannot be used in blueprint when debug=False
- Flask is not running when Debug is True on Windows HOT 1
- Starter example results in 404 error HOT 4
- How to avoid duplicate threads in debug mode
- Unable to silence logging messages HOT 1
- Broken HTML Markup in Template Inheritance HOT 1
- When using Flask to receive multiple files, an extra ‘0D’ appears at the end of some images HOT 1
- Use of `hashlib.sha1` causes issue in FIPS build HOT 3
- Post request response time spikes HOT 1
- HTTP response status 204 (`No Content`) includes superfluous `Content-Type` header HOT 1
- Unable to start flask3.0 app on a minimal implementation with `invalid syntax. Perhaps you forgot a comma? (scaffold.py, line 295)` HOT 2
- Calling `flash` after `get_flashed_messages` fails HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask.