How to explicitly set samesite=None on a flask response

python flask cookies samesite
Mark Ruse picture Mark Ruse · Jul 1, 2019 · Viewed 10.6k times · Source

Due to changes arriving in Chrome during July, I need to modify my app to explicitly provide the SameSite=None key value. This is due to the RFC treating the absence of this setting in a more impacting way than if it is present but set to None.

However on the set_cookie method, the samesite parameter is defaulted to None which results in it not being written into the set-cookie. How can I force this into the set-cookie part of the response?

When I try to set the samesite=None with the following code

resp.set_cookie('abcid', 'Hello', domain=request_data.domain, path='/', samesite=None, max_age=63072000)

This does not show any SameSite detail in the returned set-cookie

abcid=Hello; Domain=.localhost; Expires=Tue, 29-Jun-2021 22:34:02 GMT; Max-Age=63072000; Path=/

And if I try and explicitly set the value of Lax (which is one of the accepted values per rfc) as so

resp.set_cookie('abcid', "Hello", domain=request_data.domain, path='/', samesite="Lax", max_age=63072000)

I get back the set-cookie which explicitly has the SameSite=Lax setting

abcid=Hello; Domain=.localhost; Expires=Tue, 29-Jun-2021 23:03:10 GMT; Max-Age=63072000; Path=/; SameSite=Lax

I have tried None, "None", and "" but these either crash the application or omit the SameSite in the resultant response.

Any help would be gratefully received

Answer

rowan_m picture rowan_m · Jul 5, 2019

Once the fix to this issue is released, you will be able to use set_cookie() like this:

from flask import Flask, make_response

app = Flask(__name__)

@app.route('/')
def hello_world():
    resp = make_response('Hello, World!');
    resp.set_cookie('same-site-cookie', 'foo', samesite='Lax');
    resp.set_cookie('cross-site-cookie', 'bar', samesite='Lax', secure=True);
    return resp

While you're waiting for the release, you can still set the header explicitly:

from flask import Flask, make_response

app = Flask(__name__)

@app.route('/')
def hello_world():
    resp = make_response('Hello, World!');
    resp.set_cookie('same-site-cookie', 'foo', samesite='Lax');
    # Ensure you use "add" to not overwrite existing cookie headers
    resp.headers.add('Set-Cookie','cross-site-cookie=bar; SameSite=None; Secure')
    return resp

Related questions

Flask permanent session: where to define them?

By default, Flask uses volatile sessions, which means the session cookie is set to expire when browser closes. In order to use permanent sessions, which will use a cookie with a defined expiration date, one should set session.permanent = True, …

Read More
Get the data received in a Flask request

I want to be able to get the data sent to my Flask app. I've tried accessing request.data but it is an empty string. How do you access request data? from flask import request @app.route('/', methods=[…

Read More
How to serve static files in Flask

So this is embarrassing. I've got an application that I threw together in Flask and for now it is just serving up a single static HTML page with some links to CSS and JS. And I can't find where in …

Read More