Changed session cookie defaults to work better with google chrome

pallets · Jan 29, 2013 · bfeee75 · bfeee75
1 parent 6bd0080
commit bfeee75
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/CHANGES b/CHANGES
@@ -49,6 +49,8 @@ Release date to be decided.
   exception is passed through.
 - Added a workaround for chrome's cookies in localhost not working
   as intended with domain names.
+- Changed logic for picking defaults for cookie values from sessions
+  to work better with Google Chrome.
 
 Version 0.9
 -----------

diff --git a/flask/sessions.py b/flask/sessions.py
@@ -193,11 +193,21 @@ def get_cookie_domain(self, app):
         if app.config['SERVER_NAME'] is not None:
             # chop of the port which is usually not supported by browsers
             rv = '.' + app.config['SERVER_NAME'].rsplit(':', 1)[0]
+
             # Google chrome does not like cookies set to .localhost, so
             # we just go with no domain then.  Flask documents anyways that
             # cross domain cookies need a fully qualified domain name
             if rv == '.localhost':
                 rv = None
+
+            # If we infer the cookie domain from the server name we need
+            # to check if we are in a subpath.  In that case we can't
+            # set a cross domain cookie.
+            if rv is not None:
+                path = self.get_cookie_path(app)
+                if path != '/':
+                    rv = rv.lstrip('.')
+
             return rv
 
     def get_cookie_path(self, app):

diff --git a/flask/testsuite/basic.py b/flask/testsuite/basic.py
@@ -190,6 +190,22 @@ def index():
         self.assert_('domain=.example.com' in rv.headers['set-cookie'].lower())
         self.assert_('httponly' in rv.headers['set-cookie'].lower())
 
+    def test_session_using_server_name_port_and_path(self):
+        app = flask.Flask(__name__)
+        app.config.update(
+            SECRET_KEY='foo',
+            SERVER_NAME='example.com:8080',
+            APPLICATION_ROOT='/foo'
+        )
+        @app.route('/')
+        def index():
+            flask.session['testing'] = 42
+            return 'Hello World'
+        rv = app.test_client().get('/', 'http://example.com:8080/foo')
+        self.assert_('domain=example.com' in rv.headers['set-cookie'].lower())
+        self.assert_('path=/foo' in rv.headers['set-cookie'].lower())
+        self.assert_('httponly' in rv.headers['set-cookie'].lower())
+
     def test_session_using_application_root(self):
         class PrefixPathMiddleware(object):
             def __init__(self, app, prefix):