search

holoviz / panel

Panel: The powerful data exploration & web app framework for Python
https://panel.holoviz.org
BSD 3-Clause "New" or "Revised" License
4.79k stars 518 forks source link

Cookies and possibly other unwanted info are copied in new sessions with --reuse-sessions #5552

Open TheoMathurin opened 1 year ago

TheoMathurin commented 1 year ago

ALL software version info

Panel 1.2.3 Bokeh 3.2.2

Description of expected behavior and the observed behavior

After the first session has been loaded with --reuse-sessions enabled, I expected subsequent sessions not to inherit the cookies (or lack thereof) from the first session.

However the dictionary you get from pn.state.curdoc.session_context.request.cookies is identical from session to session even when opening the app from a different browser.

I chose to enable --reuse-sessions to speed up rendering but I'd still like to be able to use cookies.

Complete, minimal, self-contained example code that reproduces the issue

set_cookie app

import panel as pn

pn.pane.HTML(f"""
                <script>
                document.cookie="foo=bar;expires=" +
                new Date(Date.now()+(30*24*60*60*1000)).toUTCString() + ";SameSite=Strict";
                </script>
                """).servable()

Use this to set a cookie in your browser.

read_cookie app

import panel as pn

cookies = pn.state.curdoc.session_context.request.cookies
print(cookies)

pn.pane.JSON(cookies).servable()

Open this app with the same browser using panel serve read_cookie.py --reuse-sessions to read the cookie. You will see the cookie as expected. Now open it with a private window or a second browser, the cookies dict is the same although in fact you have no cookie.

Removing --reuse-sessions solves the issue.

TheoMathurin commented 11 months ago

Apparently this is still an issue in Panel 1.3.6