Overview

File 0001-set-Vary-Cookie-header-consistently-for-session.patch of Package python-Flask

From c4e2190010c1e0a141622bea79933bda2b3338f7 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Mon, 1 May 2023 08:01:32 -0700
Subject: [PATCH] set `Vary: Cookie` header consistently for session

(cherry picked from commit 8705dd39c4fa563ea0fe0bf84c85da8fcc98b88d)

Conflicts:
	flask/sessions.py
	tests/test_basic.py
---
 flask/sessions.py   | 10 ++++++----
 tests/test_basic.py | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/flask/sessions.py b/flask/sessions.py
index ec4253d5..e1ac8189 100644
--- a/flask/sessions.py
+++ b/flask/sessions.py
@@ -349,6 +349,10 @@ class SecureCookieSessionInterface(SessionInterface):
         domain = self.get_cookie_domain(app)
         path = self.get_cookie_path(app)
 
+        # Add a "Vary: Cookie" header if the session was accessed at all.
+        if session.accessed:
+            response.vary.add("Cookie")
+
         # If the session is modified to be empty, remove the cookie.
         # If the session is empty, return without setting the cookie.
         if not session:
@@ -358,13 +362,10 @@ class SecureCookieSessionInterface(SessionInterface):
                     domain=domain,
                     path=path
                 )
+                response.vary.add("Cookie")
 
             return
 
-        # Add a "Vary: Cookie" header if the session was accessed at all.
-        if session.accessed:
-            response.vary.add('Cookie')
-
         if not self.should_set_cookie(app, session):
             return
 
@@ -383,3 +384,4 @@ class SecureCookieSessionInterface(SessionInterface):
             secure=secure,
             samesite=samesite
         )
+        response.vary.add("Cookie")
diff --git a/tests/test_basic.py b/tests/test_basic.py
index c0168ae3..58d86a9e 100644
--- a/tests/test_basic.py
+++ b/tests/test_basic.py
@@ -545,6 +545,11 @@ def test_session_vary_cookie(app, client):
     def setdefault():
         return flask.session.setdefault('test', 'default')
 
+    @app.route("/clear")
+    def clear():
+        flask.session.clear()
+        return ""
+
     @app.route('/vary-cookie-header-set')
     def vary_cookie_header_set():
         response = flask.Response()
@@ -577,11 +582,29 @@ def test_session_vary_cookie(app, client):
     expect('/get')
     expect('/getitem')
     expect('/setdefault')
+    expect('/clear')
     expect('/vary-cookie-header-set')
     expect('/vary-header-set', 'Accept-Encoding, Accept-Language, Cookie')
     expect('/no-vary-header', None)
 
 
+def test_session_refresh_vary(app, client):
+    @app.route("/login")
+    def login():
+        flask.session["user_id"] = 1
+        flask.session.permanent = True
+        return ""
+
+    @app.route("/ignored")
+    def ignored():
+        return ""
+
+    rv = client.get("/login")
+    assert rv.headers["Vary"] == "Cookie"
+    rv = client.get("/ignored")
+    assert rv.headers["Vary"] == "Cookie"
+
+
 def test_flashes(app, req_ctx):
     assert not flask.session.modified
     flask.flash('Zap')
-- 
2.34.1
openSUSE Build Service is sponsored by
Places