knivre
commented
7 years ago Hi,
The motivation behind that pull request makes a lot of sense and I concur that this issue should be addressed.
That being said, it raises a significant number of questions and remarks.
- Is commit 15b8dfdaea52909c24dd50e51ba00f3f49bea596 really related to that Set-Cookie issue or is it another issue ? More explanations in the commit would be welcome.
- I believe commit 0aec0d9b6810823d6e7afa74d986a84876370f1a forgets to deal with this block: https://github.com/fengsp/flask-session/blob/090dc091aba699fe4661cc3b775f0ae99df35712/flask_session/sessions.py#L151-L159
- This block indicates that, at some point in the past, there has been some attempt at handling SESSION_REFRESH_EACH_REQUEST in flask_session -- it would be very interesting to know why this was aborted... (some touchy corner case perhaps?)
Last but not least: I know this is flask-session's Git repository, but the behaviour implemented by flask itself raises questions too: does anyone know why SESSION_REFRESH_EACH_REQUEST applies to permanent sessions only? The original commit ( https://github.com/pallets/flask/commit/d1d835c02302884b2db1cab099b3ea6a84f41d32 ) says nothing about this discrimination.
bakert
funoverip
As currently implemented, flask session will add the set-cookie header to every request including static files, etc. this prevents most standard caching setups. We should call
self.should_set_cookie()to determine if the set-cookie header should be included.With flask default config, this doesn't actually modify the set-cookie header behavior. But, with this change, and by setting
SESSION_REFRESH_EACH_REQUESTto False in the flask app config, the set-cookie header will only be included whensession.modifiedis True. This attribute is set anytime one modifies the session, but can also be set manually in specific flask views if needed to update session timeouts.