search

alex-oleshkevich / starsessions

Advanced sessions for Starlette and FastAPI frameworks
MIT License
98 stars 11 forks source link

cookie_https_only doesn't work when set to False #69

Closed jrobbins-LiveData closed 8 months ago

jrobbins-LiveData commented 8 months ago

Whether the cookie_https_only initializer is set to True or False, self.security_flags always had httponly; in it. For testing, I'd like to turn off httponly.

File: starsessions\middleware.py
58:         self.security_flags = "httponly; samesite=" + cookie_same_site
59:         if cookie_https_only:  # Secure flag can be used with HTTPS only
60:             self.security_flags += "; secure"
alex-oleshkevich commented 8 months ago

This is correct. httponly forbids access to session cookie from JavaScript. Why do you want to disable this in tests?

jrobbins-LiveData commented 8 months ago

That's a good question. I went back to the test in question and I see that I misunderstood the requirement from starlette's TestClient. My test needed access to the session cookie on the client side, and I thought that I needed to remove httponly, but I see that all I needed to do was set cookie_https_only to False. I think the flag's name (cookie_https_only) had led me to believe that it would control the httponly attribute. But I see that my test works without the middleware I wrote to remove httponly, so this issue can be closed. Sorry about that!