rpms / python-flask

Clone
Source Code
GIT

Files

  1.   96f3808b340f01bb9646424afecab2760c8bbe4d
  2.   SOURCES
  3.   0005-set-Vary-Cookie-header-consistently-for-session.patch
Blob Blame History Raw 
From df7b86ebe56d9879a411d4ac8d5e93709d200d64 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 15 May 2023 07:00:33 -0400
Subject: [PATCH 5/6] set Vary: Cookie header consistently for session

Backport 8705dd3
---
 flask/sessions.py | 48 +++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/flask/sessions.py b/flask/sessions.py
index 359b3453..ed069b23 100644
--- a/flask/sessions.py
+++ b/flask/sessions.py
@@ -354,30 +354,30 @@ class SecureCookieSessionInterface(SessionInterface):
         domain = self.get_cookie_domain(app)
         path = self.get_cookie_path(app)
 
+        # Add a "Vary: Cookie" header if the session was accessed at all.
         if session.accessed:
-
-            response.headers.add('Vary', 'Cookie')
-
-        else:
-
-            # Delete case.  If there is no session we bail early.
-            # If the session was modified to be empty we remove the
-            # whole cookie.
-            if not session:
-                if session.modified:
-                    response.delete_cookie(app.session_cookie_name,
-                                           domain=domain, path=path)
-                return
-
-            # Modification case.  There are upsides and downsides to
-            # emitting a set-cookie header each request.  The behavior
-            # is controlled by the :meth:`should_set_cookie` method
-            # which performs a quick check to figure out if the cookie
-            # should be set or not.  This is controlled by the
-            # SESSION_REFRESH_EACH_REQUEST config flag as well as
-            # the permanent flag on the session itself.
-            if not self.should_set_cookie(app, session):
-                return
+            response.vary.add('Cookie')
+
+
+        # Delete case.  If there is no session we bail early.
+        # If the session was modified to be empty we remove the
+        # whole cookie.
+        if not session:
+            if session.modified:
+                response.delete_cookie(app.session_cookie_name,
+                                       domain=domain, path=path)
+                response.vary.add('Cookie')
+            return
+
+        # Modification case.  There are upsides and downsides to
+        # emitting a set-cookie header each request.  The behavior
+        # is controlled by the :meth:`should_set_cookie` method
+        # which performs a quick check to figure out if the cookie
+        # should be set or not.  This is controlled by the
+        # SESSION_REFRESH_EACH_REQUEST config flag as well as
+        # the permanent flag on the session itself.
+        if not self.should_set_cookie(app, session):
+            return
 
         httponly = self.get_cookie_httponly(app)
         secure = self.get_cookie_secure(app)
@@ -386,6 +386,6 @@ class SecureCookieSessionInterface(SessionInterface):
         response.set_cookie(app.session_cookie_name, val,
                             expires=expires, httponly=httponly,
                             domain=domain, path=path, secure=secure)
-
+        response.vary.add('Cookie')
 
 from flask.debughelpers import UnexpectedUnicodeError
-- 
2.31.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation