search

maxcountryman / flask-login

Flask user session management.
https://flask-login.readthedocs.io/
MIT License
3.58k stars 804 forks source link

Clear Cookie needs SameSite and Secure attributes #683

Open Maheshkumar-novice opened 2 years ago

Maheshkumar-novice commented 2 years ago

Describe the bug We need to provide SameSite and Secure attributes when we clear cookie also as some browsers (Example, Brave) not clearing the cookie without SameSite: None and Secure attributes as they are needed for CORS.

To Reproduce Steps to reproduce the behavior:

  1. Login using flask-login with remember me as true
  2. Verify that if remember me cookie is set
  3. Logout
  4. Verify that if remember me cookie is cleared or not
  5. In my case it's not

Expected behavior Remember cookie should be cleared

Screenshots

BRAVE BROWSER:

brave1

brave2

brave3

CHROME BROWSER:

chrome1

chrome2

chrome3

def _set_cookie(self, response):
       ....
        response.set_cookie(
            cookie_name,
            value=data,
            expires=expires,
            domain=domain,
            path=path,
            secure=secure,
            httponly=httponly,
            samesite=samesite,
        )

    def _clear_cookie(self, response):
        ...
        response.delete_cookie(cookie_name, domain=domain, path=path)

We are sending SameSite and Secure when we _set_cookie but not in _clear_cookie.

Desktop (please complete the following information):

Additional context

maxcountryman commented 10 months ago

If this is still an issue then please address it with a proposed fix in the form of a PR.