最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - Flask cookies do not have the SameSite attribute - Stack Overflow

programmeradmin2浏览0评论

Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.

Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:

access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;

I have tried manually setting the headers with:

resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')

But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:

access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;

I'm wondering if there is a way to set the SameSite attribute within the cookies right now.

Edit This is the code that I have for the site.

  • List item
        access_token = create_access_token(identity=user.username)
        resp = jsonify({"username": user.username,
                        "user_type": user.roles
                        })
        resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
        return resp

Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.

Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:

access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;

I have tried manually setting the headers with:

resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')

But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:

access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;

I'm wondering if there is a way to set the SameSite attribute within the cookies right now.

Edit This is the code that I have for the site.

  • List item
        access_token = create_access_token(identity=user.username)
        resp = jsonify({"username": user.username,
                        "user_type": user.roles
                        })
        resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
        return resp

Share Improve this question edited Mar 28, 2021 at 11:49 jub0bs 66.4k27 gold badges195 silver badges196 bronze badges asked Apr 1, 2020 at 21:23 Bryan WongBryan Wong 1272 silver badges6 bronze badges
Add a ment  | 

3 Answers 3

Reset to default 2

Chrome ignores cookies marked as Secure that was received via insecure channel. So, you can either test this via https or remove the Secure attribute

In order to do this, I use make_response without any Flask plugins:

from flask import make_response, render_template
resp = make_response(render_template("index.html"))
resp.set_cookie('pwd', pwd, samesite="Lax")

The important part is resp.set_cookie('pwd', pwd, samesite="Lax"). The samesite argument lets you set the SameSite of the cookie.

You're correct in thinking that Chrome now requires cookies marked SameSite=None to also be marked Secure:

Any cookie that requests SameSite=None but is not marked Secure will be rejected.

However, the Domain you specify for your cookie (127.0.0.1) indicates that the request's server origin is an insecure one (i.e. using the http scheme), and you should be aware that, due to a feature known as Strict Secure Cookies, attempts to set a Secure cookie from an insecure origin fail in Chrome 58+:

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies.

Therefore, if you want to set a cookie marked SameSite=None in modern Chrome, the origin needs to be secure (i.e. use the https scheme).

发布评论

评论列表(0)

  1. 暂无评论