From e7c3a127b8f4a49b45aae49ca2b109eb2b1ed8db Mon Sep 17 00:00:00 2001 From: Sibren Vasse Date: Sat, 9 May 2020 14:13:37 +0200 Subject: [PATCH] Set samesite and secure attributes of session cookie. Enable strong session protection. --- app/extensions.py | 1 + server.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/app/extensions.py b/app/extensions.py index 872392b8..7694090a 100644 --- a/app/extensions.py +++ b/app/extensions.py @@ -5,4 +5,5 @@ from flask_sqlalchemy import SQLAlchemy db = SQLAlchemy() login_manager = LoginManager() +login_manager.session_protection = "strong" migrate = Migrate(db=db) diff --git a/server.py b/server.py index 3f1ad13f..cb4fbec7 100644 --- a/server.py +++ b/server.py @@ -83,6 +83,9 @@ def create_app() -> Flask: # to avoid conflict with other cookie app.config["SESSION_COOKIE_NAME"] = "slapp" + if URL.startswith("https"): + app.config["SESSION_COOKIE_SECURE"] = True + app.config["SESSION_COOKIE_SAMESITE"] = "strict" init_extensions(app) register_blueprints(app)