Flask WTF error - CSRF session token is missing (but actually not)

Question

Currently trying to fix this issue, I have browsed many posts but still cannot solve this problem hence this message to the community :)

I am creating a dev/test environment for a Flask based website and I have to duplicate the current website into a subdomain, such as from mydomain.com to dev.mydomain.com and so on for the additional related services such as elastic search (e.g. from es.mydomain.com to es-dev.mydomain.com).

So here I am, I deployed everything through Nginx, the main website dev.mydomain.com and all services run and are accessible. BUT I cannot log in to Flask which throws me an error 400 missing CSRF session token when there is actually 2 session tokens ... it seems that 1 duplicate is created in the form submission process as the cookie holds 2 session keys.

Before form submission

• Original cookie keys: _ga=...; _gid=...; session=...
• Dev cookie keys: session=...; Domain=.dev.mydomain.com; Secure; HttpOnly; Path=/

After form submission

• Original website cookie keys: _ga=...; _gid=...; session=...
• Dev wbesite cookie keys: _ga=...; _gid=...; session=...; session=...

CSRF is enabled for the whole app via csrf.init_app(app) and my Flask config is:

SECRET_KEY = os.getenv("SECRET_KEY")
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_SECURE = True
REMEMBER_COOKIE_HTTPONLY = True

I'm trying different config flavors but no improvement so far ...

Some help would be appreciated as always, thank you in advance :)

Answer 1

For the record, one just needs to set the SESSION_COOKIE_NAME configuration paramater to solve that problem

Cf. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME