Skip to content

Commit ccd5ced

Browse files
mitsuhikomitsuhiko
committed
Chop of ports for session cookies. This fixes pallets#253 
1 parent 4e47ea9 commit ccd5ced

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

flask/app.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -602,7 +602,8 @@ def save_session(self, session, response):
602602
if session.permanent:
603603
expires = datetime.utcnow() + self.permanent_session_lifetime
604604
if self.config['SERVER_NAME'] is not None:
605-
domain = '.' + self.config['SERVER_NAME']
605+
# chop of the port which is usually not supported by browsers
606+
domain = '.' + self.config['SERVER_NAME'].rsplit(':', 1)[0]
606607
session.save_cookie(response, self.session_cookie_name,
607608
expires=expires, httponly=True, domain=domain)
608609

tests/flask_tests.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,20 @@ def index():
306306
assert 'domain=.example.com' in rv.headers['set-cookie'].lower()
307307
assert 'httponly' in rv.headers['set-cookie'].lower()
308308

309+
def test_session_using_server_name_and_port(self):
310+
app = flask.Flask(__name__)
311+
app.config.update(
312+
SECRET_KEY='foo',
313+
SERVER_NAME='example.com:8080'
314+
)
315+
@app.route('/')
316+
def index():
317+
flask.session['testing'] = 42
318+
return 'Hello World'
319+
rv = app.test_client().get('/', 'http://example.com:8080/')
320+
assert 'domain=.example.com' in rv.headers['set-cookie'].lower()
321+
assert 'httponly' in rv.headers['set-cookie'].lower()
322+
309323
def test_missing_session(self):
310324
app = flask.Flask(__name__)
311325
def expect_exception(f, *args, **kwargs):

0 commit comments

Comments
 (0)