Merge pull request #116 from tylersalminen/master

Implemented SESSION_COOKIE_SAMESITE

Author: fengsp

flask_session/sessions.py

@@ -110,6 +110,7 @@ def __init__(self, redis, key_prefix, use_signer=False, permanent=True):
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
+        self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
 
     def open_session(self, app, request):
         sid = request.cookies.get(app.session_cookie_name)
@@ -157,9 +158,11 @@ def save_session(self, app, session, response):
         # the permanent flag on the session itself.
         # if not self.should_set_cookie(app, session):
         #    return
-
+        conditional_cookie_kwargs = {}
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
+        if self.has_same_site_capability:
+            conditional_cookie_kwargs["samesite"] = self.get_cookie_samesite(app)
         expires = self.get_expiration_time(app, session)
         val = self.serializer.dumps(dict(session))
         self.redis.setex(name=self.key_prefix + session.sid, value=val,
@@ -170,7 +173,8 @@ def save_session(self, app, session, response):
             session_id = session.sid
         response.set_cookie(app.session_cookie_name, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure,
+                            **conditional_cookie_kwargs)
 
 
 class MemcachedSessionInterface(SessionInterface):
@@ -197,6 +201,7 @@ def __init__(self, client, key_prefix, use_signer=False, permanent=True):
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
+        self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
 
     def _get_preferred_memcache_client(self):
         servers = ['127.0.0.1:11211']
@@ -272,8 +277,11 @@ def save_session(self, app, session, response):
                                        domain=domain, path=path)
             return
 
+        conditional_cookie_kwargs = {}
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
+        if self.has_same_site_capability:
+            conditional_cookie_kwargs["samesite"] = self.get_cookie_samesite(app)
         expires = self.get_expiration_time(app, session)
         if not PY2:
             val = self.serializer.dumps(dict(session), 0)
@@ -287,7 +295,8 @@ def save_session(self, app, session, response):
             session_id = session.sid
         response.set_cookie(app.session_cookie_name, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure,
+                            **conditional_cookie_kwargs)
 
 
 class FileSystemSessionInterface(SessionInterface):
@@ -314,6 +323,7 @@ def __init__(self, cache_dir, threshold, mode, key_prefix,
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
+        self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
 
     def open_session(self, app, request):
         sid = request.cookies.get(app.session_cookie_name)
@@ -346,8 +356,11 @@ def save_session(self, app, session, response):
                                        domain=domain, path=path)
             return
 
+        conditional_cookie_kwargs = {}
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
+        if self.has_same_site_capability:
+            conditional_cookie_kwargs["samesite"] = self.get_cookie_samesite(app)
         expires = self.get_expiration_time(app, session)
         data = dict(session)
         self.cache.set(self.key_prefix + session.sid, data,
@@ -358,7 +371,8 @@ def save_session(self, app, session, response):
             session_id = session.sid
         response.set_cookie(app.session_cookie_name, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure,
+                            **conditional_cookie_kwargs)
 
 
 class MongoDBSessionInterface(SessionInterface):
@@ -388,6 +402,7 @@ def __init__(self, client, db, collection, key_prefix, use_signer=False,
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
+        self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
 
     def open_session(self, app, request):
         sid = request.cookies.get(app.session_cookie_name)
@@ -431,8 +446,11 @@ def save_session(self, app, session, response):
                                        domain=domain, path=path)
             return
 
+        conditional_cookie_kwargs = {}
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
+        if self.has_same_site_capability:
+            conditional_cookie_kwargs["samesite"] = self.get_cookie_samesite(app)
         expires = self.get_expiration_time(app, session)
         val = self.serializer.dumps(dict(session))
         self.store.update({'id': store_id},
@@ -445,7 +463,8 @@ def save_session(self, app, session, response):
             session_id = session.sid
         response.set_cookie(app.session_cookie_name, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure,
+                            **conditional_cookie_kwargs)
 
 
 class SqlAlchemySessionInterface(SessionInterface):
@@ -473,6 +492,7 @@ def __init__(self, app, db, table, key_prefix, use_signer=False,
         self.key_prefix = key_prefix
         self.use_signer = use_signer
         self.permanent = permanent
+        self.has_same_site_capability = hasattr(self, "get_cookie_samesite")
 
         class Session(self.db.Model):
             __tablename__ = table
@@ -541,8 +561,11 @@ def save_session(self, app, session, response):
                                        domain=domain, path=path)
             return
 
+        conditional_cookie_kwargs = {}
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
+        if self.has_same_site_capability:
+            conditional_cookie_kwargs["samesite"] = self.get_cookie_samesite(app)
         expires = self.get_expiration_time(app, session)
         val = self.serializer.dumps(dict(session))
         if saved_session:
@@ -559,4 +582,5 @@ def save_session(self, app, session, response):
             session_id = session.sid
         response.set_cookie(app.session_cookie_name, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure,
+                            **conditional_cookie_kwargs)