Reputation: 35
Flask Session Cookies Expire Almost instantly, Can't Set Samesite Attribte
I a making a web application with a session cookie log in system. When using the cookies they expire within seconds, logging the user out of any service they were in. When I open my app I occasionaly get a warning in the terminal that states UserWarning: The session cookie domain is an IP address. This may not work as intended in some browsers. Add an entry to your hosts file, for example "localhost.localdomain", and use that instead. I'm hosting this app on Heroku so I don't think editing my local file would help, but if theres a way to get this to be solved on Heroku that would be great. Another error message I get comes from the console in the website itself, which reads:
Cookie “session” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
I set the Session cookie in my web application to:
app.config["SESSION_FILE_DIR"] = tempfile.mkdtemp()
app.config["SESSION_PERMANENT"] = False
app.config["SESSION_TYPE"] = "filesystem"
app.config["SESSION_COOKIE_SECURE"] = True
app.config["SESSION_COOKIE_SAMESITE"] = "None"
Session(app)
But this didn't solve my problem and both errors keep coming up. If there's any way to manually set SameSite and Secure that would be fantastic. Getting a https connection on Heroku did not work, I don't know why this is happening and it breaks the site, if there's any advice anyone has that would be greatly appreciated!
Upvotes: -1
Views: 1537
Answers (2)
Reputation: 19901
You need to use a domain name to access the service (https://domain.xxx/) and not the IP-address (https://123.123.123.213).
To avoid a lot of pain and errors, you should aim to use HTTPS, especially if you want cookies to work properly. Both the Secure and SameSite attributes requires HTTPS to work properly in most cases. And to get HTTPS to work you need a domain name and a proper certificate.
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems
Upvotes: 1
Reputation: 1
I had a similar issue with my Flask app ... setting the value to None (i.e. app.config["SESSION_COOKIE_SAMESITE"] = None) instead of "None" fixed my issue ...
Upvotes: 0
Related Questions
- Python Flask - How to set session cookie attributes sameSite=None and 'Secure'
- Flask session is not persisting
- Flask cookies do not have the SameSite attribute
- Previously-set request cookies returns None in a Flask application
- python flask not creating cookie when setting expiration
- Flask-Login : Prevent cookie reuse flaw
- Flask session cookies not persisting on browser close
- TypeError: set_cookie() got an unexpected keyword argument 'samesite' (flask)
- Internal Server Error when using Flask session
- Flask Session() object not permanent