diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2018-05-24 18:33:29 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-24 18:33:29 -0400 |
| commit | 2d9390fd73fee560a72d600f846befcb9e140ad0 (patch) | |
| tree | f65e0441cb7010198988a0d81d651cd8acae5487 | |
| parent | 77caaff93f3c7dc8d43d6375b06b05e2be6cf7d3 (diff) | |
| download | pyramid-2d9390fd73fee560a72d600f846befcb9e140ad0.tar.gz pyramid-2d9390fd73fee560a72d600f846befcb9e140ad0.tar.bz2 pyramid-2d9390fd73fee560a72d600f846befcb9e140ad0.zip | |
Set the samesite flag to Lax by default on session cookies
Also make it possible to set it to other values
| -rw-r--r-- | pyramid/session.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/pyramid/session.py b/pyramid/session.py index 4a9c8c100..70af99085 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -135,6 +135,7 @@ def BaseCookieSessionFactory( domain=None, secure=False, httponly=False, + samesite='Lax', timeout=1200, reissue_time=0, set_on_exception=True, @@ -187,6 +188,9 @@ def BaseCookieSessionFactory( Hide the cookie from Javascript by setting the 'HttpOnly' flag of the session cookie. Default: ``False``. + ``samesite`` + The 'samesite' option of the session cookie. Default ``'Lax'``. + ``timeout`` A number of seconds of inactivity before a session times out. If ``None`` then the cookie never expires. This lifetime only applies @@ -229,6 +233,7 @@ def BaseCookieSessionFactory( _cookie_domain = domain _cookie_secure = secure _cookie_httponly = httponly + _cookie_samesite = samesite _cookie_on_exception = set_on_exception _timeout = timeout if timeout is None else int(timeout) _reissue_time = reissue_time if reissue_time is None else int(reissue_time) @@ -367,6 +372,7 @@ def BaseCookieSessionFactory( domain=self._cookie_domain, secure=self._cookie_secure, httponly=self._cookie_httponly, + samesite=self._cookie_samesite, ) return True @@ -382,6 +388,7 @@ def UnencryptedCookieSessionFactoryConfig( cookie_domain=None, cookie_secure=False, cookie_httponly=False, + cookie_samesite='Lax', cookie_on_exception=True, signed_serialize=signed_serialize, signed_deserialize=signed_deserialize, @@ -434,6 +441,9 @@ def UnencryptedCookieSessionFactoryConfig( ``cookie_httponly`` The 'httpOnly' flag of the session cookie. + ``cookie_samesite`` + The 'samesite' option of the session cookie. Default: ``'Lax'``. + ``cookie_on_exception`` If ``True``, set a session cookie even if an exception occurs while rendering a view. @@ -469,6 +479,7 @@ def UnencryptedCookieSessionFactoryConfig( domain=cookie_domain, secure=cookie_secure, httponly=cookie_httponly, + samesite=cookie_samesite, timeout=timeout, reissue_time=0, # to keep session.accessed == session.renewed set_on_exception=cookie_on_exception, @@ -491,6 +502,7 @@ def SignedCookieSessionFactory( domain=None, secure=False, httponly=False, + samesite='Lax', set_on_exception=True, timeout=1200, reissue_time=0, @@ -553,6 +565,9 @@ def SignedCookieSessionFactory( Hide the cookie from Javascript by setting the 'HttpOnly' flag of the session cookie. Default: ``False``. + ``samesite`` + The 'samesite' option of the session cookie. Default: ``'Lax'``. + ``timeout`` A number of seconds of inactivity before a session times out. If ``None`` then the cookie never expires. This lifetime only applies @@ -608,6 +623,7 @@ def SignedCookieSessionFactory( domain=domain, secure=secure, httponly=httponly, + samesite=samesite, timeout=timeout, reissue_time=reissue_time, set_on_exception=set_on_exception, |