Not possible to set a session cookie without a domain attribute when SERVER_NAME is set

[wrr]

If cookie has no domain attribute, it is valid only for the exact domain to which the request that sets the cookie is addressed, this is often a desirable behavior. A domain attribute makes the cookie also valid for all sub-domains of the specified domain.

Looking at

flask/flask/sessions.py

Line 198 in c9b29f4

def get_cookie_domain(self, app):

if SERVER_NAME is set, a cookie will always have a domain attribute (either explicitly set via SESSION_COOKIE_DOMAIN or inferred from the SERVER_NAME).

Would it be possible to allow setting cookies without a domain when SERVER_NAME is set?

[Fajkowsky]

But why? What would be purpose of this?

[wrr]

@Fajkowsky say example.org site uses admin.example.org subdomain for administration purposes and would like to set authentication cookies that are restricted to admin.example.org only.

[untitaker]

I don't understand how a decent API would look like. Note that you can already subclass Flask (which is generally encouraged).

[wrr]

@untitaker ideally SESSION_COOKIE_DOMAIN would be the only setting that controls the domain attribute (the domain would be never set if SESSION_COOKIE_DOMAIN is None). But such change is not backward compatible.

A backward compatible approach would be to introduce for example SESSION_COOKIE_DOMAIN_FROM_SERVER_NAME setting that defaults to True. With the setting set to True, the current behavior is preserved. With the setting set to False, the domain attribute is set based on the SESSION_COOKIE_DOMAIN only.

[davidism]

You can now set SESSION_COOKIE_DOMAIN = False to explicitly prevent any domain being set on the cookie. #2282

[davidism]

See #5051, going to refactor this to remove the SERVER_NAME fallback.