You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CookieTransport implements a set and delete cookie of starlette. In the set_cookie of starlette all posible options are present (secure and samesite for this issue). The delete_cookie of starlette makes a expired cookie by using the set_cookie on this point only key, expires max_age path domain are used.
Not sure deleted cookies should have those parameters, if so bug is in starlette package.
* logout response sets proper response headers
logout response is using starlette delete cookie. In starlette the samesite and secure attributes are not in the header but are needed to set the removed cookie client side. Implementing set_cookie with an empty cookie-value and a max_age of 0 will set a new expired cookie by the client.
related issue #846
* fixed linting
Co-authored-by: Pentem <martijn.pentenga@movares.nl>
For my angular project i need to set the cookies SameSite header to 'None' so 'Set-Cookie' is set by the angular app.
I defined the cookie transport:
On a login call the browser is receiving the following cookie:
and the cookie will be set.
On a logout call the browser is receiving the following cookie:
Setting cookie is blocked by SameSite attribute lax!
To Reproduce
Steps to reproduce the behavior:
setup fastapi-users cookie backend
setup angular project to call login and logout
look in network calls
Expected behavior
On the delete cookie endpoint return response headers with samesite attribute as defined in the cookie transport.
Configuration
FastAPI Users configuration
see repo for config.
edit:
I have found the issue:
CookieTransport implements a set and delete cookie of starlette. In the set_cookie of starlette all posible options are present (secure and samesite for this issue). The delete_cookie of starlette makes a expired cookie by using the set_cookie on this point only key, expires max_age path domain are used.
Not sure deleted cookies should have those parameters, if so bug is in starlette package.
fix for fastapi-users:
on CookieTransport class make sure the get_logout_response is using the set_cookie methode of starlette and set cookie-value to '' and max_age to 0
commit 113bcf0 PR: #848
The text was updated successfully, but these errors were encountered: