• Information
Important information: Google announced that, from September 2026, Android devices will require ALL apps to be signed by Google, effectively leading to an iOS situation. Value your right to a computer that does what you want; do not tolerate this monopolistic practice! Contact me if you don't understand why it is bad. Click to learn more.

Session cookie security

by roundabout, Tuesday, 7 May 2024, 13:15:50 (1715087750), pushed by roundabout, Wednesday, 31 July 2024, 06:54:48 (1722408888)

Author identity: vlad <vlad.muntoiu@gmail.com>

881d5147ad7d0f6449e4189a1a626546e37f5abd

app.py

@@ -29,7 +29,7 @@ from common import git_command

                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            from flask_babel import Babel, gettext, ngettext, force_locale
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            _ = gettext
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        n_ = gettext
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        n_ = ngettext
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            app = flask.Flask(__name__)
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            app.config.from_mapping(

@@ -47,6 +47,10 @@ app.config["SECRET_KEY"] = config.DB_PASSWORD

                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            app.config["BABEL_TRANSLATION_DIRECTORIES"] = "i18n"
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            app.config["MAX_CONTENT_LENGTH"] = config.MAX_PAYLOAD_SIZE
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        app.config["SESSION_COOKIE_SECURE"] = config.suggest_https       # only send cookies over HTTPS if the server is configured for it
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        app.config["SESSION_COOKIE_HTTPONLY"] = True                     # don't allow JS to access the cookie
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                        app.config["SESSION_COOKIE_DOMAIN"] = config.BASE_DOMAIN         # don't share across subdomains, since user content is hosted there
                                        
                                        
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            db = SQLAlchemy(app)
                                        
                                        
                                            
                                            
                                            
                                            
                                        
                                    
                                
                                
                                
                            
                                
                                    
                                        
                                            
                                            bcrypt = Bcrypt(app)

  • Add comment