Skip to content

Do not set cookie if not required #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zebpalmer wants to merge 3 commits into from
Closed

Do not set cookie if not required #70

zebpalmer wants to merge 3 commits into from

Conversation

@zebpalmer
Copy link

@zebpalmer zebpalmer commented May 14, 2017
edited
Loading

As currently implemented, flask session will add the set-cookie header to every request including static files, etc. this prevents most standard caching setups. We should call self.should_set_cookie() to determine if the set-cookie header should be included.

With flask default config, this doesn't actually modify the set-cookie header behavior. But, with this change, and by setting SESSION_REFRESH_EACH_REQUEST to False in the flask app config, the set-cookie header will only be included when session.modified is True. This attribute is set anytime one modifies the session, but can also be set manually in specific flask views if needed to update session timeouts.

zebpalmer added 3 commits May 3, 2017 13:54
@zebpalmer
ignore pycharm .idea
a753a2c
@zebpalmer
Check should_set_cookie before setting it
0aec0d9 
setting the cookie on every request is not ideal in many cases. checking this method mimics the behavior of the default flask logic allowing configuration of when cookies should be set. this changes nothing unless  SESSION_REFRESH_EACH_REQUEST is true in app config.
@zebpalmer
regenerate sid if not in db
15b8dfd
@knivre
Copy link

knivre commented Sep 8, 2017

Hi,

The motivation behind that pull request makes a lot of sense and I concur that this issue should be addressed.

That being said, it raises a significant number of questions and remarks.

Last but not least: I know this is flask-session's Git repository, but the behaviour implemented by flask itself raises questions too: does anyone know why SESSION_REFRESH_EACH_REQUEST applies to permanent sessions only? The original commit ( pallets/flask@d1d835c ) says nothing about this discrimination.

@bakert
Copy link

bakert commented Oct 29, 2019
edited
Loading

Did anything like this get implemented? We are having some very strange effects when Cloudflare caches a particular SVG static resource that has a Set-Cookie for the session cookie in the response headers. Is there a way to prevent this header being sent with static resources?

@funoverip
Copy link

funoverip commented Dec 14, 2020

Uncommenting the block allowed me to send cookies only when needed. To anyone wondering why Cloudflare does not cache static files (js, css, ...), just activate this check in version 0.3.2.

if not self.should_set_cookie(app, session): 
     return

christopherpickering added a commit to christopherpickering/flask-session2 that referenced this pull request Aug 17, 2022
@christopherpickering
feat(cookie): don't add cookie on static files
1c4a8ef 
pallets-eco#70
@zebpalmer zebpalmer closed this Dec 5, 2022
@bakert bakert mentioned this pull request Aug 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zebpalmer @knivre @bakert @funoverip