Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Cookie changes are not persisted when test client follows redirects #1491
I have a pytest test from a flask application that looks like:
When the user logs out, the session is cleared and it redirects them to the login page. The log in route checks if the session has a user id, and if so it redirects them to the homepage.
Therefore the test is trying to assert that the session is cleared after logging out and the user is redirected to the login page. This test was passing in 0.14.1.
However after upgrading the test fails. It seems like the user ID is back in the session after it has been cleared and therefore the user ends up in the homepage.
I am encountering this behaviour only when using the test client, which I am invoking with flask's app.test_client().
This is due to #1402, which was improving the way redirects are handled by the test client.
It now copies the original environ in order to preserve the headers passed with the original request (which is what browsers do), but it doesn't take into account that
The cookie jar is only modifying the environ if there are cookies. So if the jar is empty, it doesn't ensure that the environ's cookies are cleared. It looks like that
Here's a Werkzeug test:
def test_cookie_across_redirect(): @Request.application def app(request): if request.path == "/": return Response(request.cookies.get("auth", "out")) if request.path == "/in": rv = redirect("/") rv.set_cookie("auth", "in") return rv if request.path == "/out": rv = redirect("/") rv.delete_cookie("auth") return rv c = Client(app, Response) assert c.get("/").data == b"out" assert c.get("/in", follow_redirects=True).data == b"in" assert c.get("/").data == b"in" assert c.get("/out", follow_redirects=True).data == b"out" assert c.get("/").data == b"out"
If you add an extra cookie during login, and don't delete it during logout so the jar isn't empty, you can see that logout works again.
I think the correct solution here is to add:
else: environ.pop("HTTP_COOKIE", None)