From 8705dd39c4fa563ea0fe0bf84c85da8fcc98b88d Mon Sep 17 00:00:00 2001 From: David Lord Date: Mon, 1 May 2023 08:01:32 -0700 Subject: [PATCH] set `Vary: Cookie` header consistently for session --- src/flask/sessions.py | 10 ++++++---- tests/test_basic.py | 23 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/flask/sessions.py b/src/flask/sessions.py index 1334184eb0..e5650d6862 100644 --- a/src/flask/sessions.py +++ b/src/flask/sessions.py @@ -329,6 +329,10 @@ def save_session( samesite = self.get_cookie_samesite(app) httponly = self.get_cookie_httponly(app) + # Add a "Vary: Cookie" header if the session was accessed at all. + if session.accessed: + response.vary.add("Cookie") + # If the session is modified to be empty, remove the cookie. # If the session is empty, return without setting the cookie. if not session: @@ -341,13 +345,10 @@ def save_session( samesite=samesite, httponly=httponly, ) + response.vary.add("Cookie") return - # Add a "Vary: Cookie" header if the session was accessed at all. - if session.accessed: - response.vary.add("Cookie") - if not self.should_set_cookie(app, session): return @@ -363,3 +364,4 @@ def save_session( secure=secure, samesite=samesite, ) + response.vary.add("Cookie") diff --git a/tests/test_basic.py b/tests/test_basic.py index 32b41b6378..ca373dcae3 100644 --- a/tests/test_basic.py +++ b/tests/test_basic.py @@ -501,6 +501,11 @@ def getitem(): def setdefault(): return flask.session.setdefault("test", "default") + @app.route("/clear") + def clear(): + flask.session.clear() + return "" + @app.route("/vary-cookie-header-set") def vary_cookie_header_set(): response = flask.Response() @@ -533,11 +538,29 @@ def expect(path, header_value="Cookie"): expect("/get") expect("/getitem") expect("/setdefault") + expect("/clear") expect("/vary-cookie-header-set") expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") expect("/no-vary-header", None) +def test_session_refresh_vary(app, client): + @app.get("/login") + def login(): + flask.session["user_id"] = 1 + flask.session.permanent = True + return "" + + @app.get("/ignored") + def ignored(): + return "" + + rv = client.get("/login") + assert rv.headers["Vary"] == "Cookie" + rv = client.get("/ignored") + assert rv.headers["Vary"] == "Cookie" + + def test_flashes(app, req_ctx): assert not flask.session.modified flask.flash("Zap")