Permalink
Browse files

Respect the domain for the session cookie. This fixes #79

  • Loading branch information...
1 parent 56796f0 commit da514b398429653dbd368c6da48c9863d3c2632f @mitsuhiko mitsuhiko committed Jul 6, 2010
Showing with 19 additions and 2 deletions.
  1. +5 −2 flask/app.py
  2. +14 −0 tests/flask_tests.py
View
@@ -420,11 +420,14 @@ def save_session(self, session, response):
object)
:param response: an instance of :attr:`response_class`
"""
- expires = None
+ expires = domain = None
if session.permanent:
expires = datetime.utcnow() + self.permanent_session_lifetime
+ if self.config['SERVER_NAME'] is not None:
+ domain = '.' + self.config['SERVER_NAME']
session.save_cookie(response, self.session_cookie_name,
- expires=expires, httponly=True)
+ expires=expires, httponly=True,
+ domain=domain)
def register_module(self, module, **options):
"""Registers a module with this application. The keyword argument
View
@@ -172,6 +172,20 @@ def get():
assert c.post('/set', data={'value': '42'}).data == 'value set'
assert c.get('/get').data == '42'
+ def test_session_using_server_name(self):
+ app = flask.Flask(__name__)
+ app.config.update(
+ SECRET_KEY='foo',
+ SERVER_NAME='example.com'
+ )
+ @app.route('/')
+ def index():
+ flask.session['testing'] = 42
+ return 'Hello World'
+ rv = app.test_client().get('/', 'http://example.com/')
+ assert 'domain=.example.com' in rv.headers['set-cookie'].lower()
+ assert 'httponly' in rv.headers['set-cookie'].lower()
+
def test_missing_session(self):
app = flask.Flask(__name__)
def expect_exception(f, *args, **kwargs):

0 comments on commit da514b3

Please sign in to comment.