flask-session icon indicating copy to clipboard operation
flask-session copied to clipboard

Published 20 hours ago verified publisher icon pallets-eco

Do not set cookie if not required

Open zebpalmer opened this issue 8 years ago • 3 comments
trafficstars

As currently implemented, flask session will add the set-cookie header to every request including static files, etc. this prevents most standard caching setups. We should call self.should_set_cookie() to determine if the set-cookie header should be included.

With flask default config, this doesn't actually modify the set-cookie header behavior. But, with this change, and by setting SESSION_REFRESH_EACH_REQUEST to False in the flask app config, the set-cookie header will only be included when session.modified is True. This attribute is set anytime one modifies the session, but can also be set manually in specific flask views if needed to update session timeouts.

zebpalmer avatar May 14 '17 04:05 zebpalmer

Hi,

The motivation behind that pull request makes a lot of sense and I concur that this issue should be addressed.

That being said, it raises a significant number of questions and remarks.

  • Is commit 15b8dfdaea52909c24dd50e51ba00f3f49bea596 really related to that Set-Cookie issue or is it another issue ? More explanations in the commit would be welcome.
  • I believe commit 0aec0d9b6810823d6e7afa74d986a84876370f1a forgets to deal with this block: https://github.com/fengsp/flask-session/blob/090dc091aba699fe4661cc3b775f0ae99df35712/flask_session/sessions.py#L151-L159
  • This block indicates that, at some point in the past, there has been some attempt at handling SESSION_REFRESH_EACH_REQUEST in flask_session -- it would be very interesting to know why this was aborted... (some touchy corner case perhaps?)

Last but not least: I know this is flask-session's Git repository, but the behaviour implemented by flask itself raises questions too: does anyone know why SESSION_REFRESH_EACH_REQUEST applies to permanent sessions only? The original commit ( https://github.com/pallets/flask/commit/d1d835c02302884b2db1cab099b3ea6a84f41d32 ) says nothing about this discrimination.

knivre avatar Sep 08 '17 13:09 knivre

Did anything like this get implemented? We are having some very strange effects when Cloudflare caches a particular SVG static resource that has a Set-Cookie for the session cookie in the response headers. Is there a way to prevent this header being sent with static resources?

bakert avatar Oct 29 '19 23:10 bakert

Uncommenting the block allowed me to send cookies only when needed. To anyone wondering why Cloudflare does not cache static files (js, css, ...), just activate this check in version 0.3.2.

if not self.should_set_cookie(app, session): 
     return

funoverip avatar Dec 14 '20 09:12 funoverip