Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Way to select session or cookie based tokens? #94

Open
rkerr opened this issue Dec 19, 2019 · 0 comments
Open

Way to select session or cookie based tokens? #94

rkerr opened this issue Dec 19, 2019 · 0 comments
Labels
feature-request

Comments

@rkerr
Copy link

rkerr commented Dec 19, 2019

With the django middleware the default settings are such that the CSRF token is stored in a cookie, with an optional setting to store in a server side session instead of using the cookie.

With Flask-Seasurf it appears that the default is to store the token in both the session and the cookie, but always use the session to validate against. I can't see a way to configure things to set just the session and not the cookie, or to use just the cookie and not store/validate against the session.

There is a disable_cookie() decorator, but that appears to disable session based storage too (as the session is actually updated in _set_session_cookie), Not sure if that's intentional - feels like a bug?

Ideally it would be nice for Flask-Seasurf to have the same flexibility as the django middleware, but if not it would be good to get a way to optionally disable the cookie as it doesn't seem to be strictly required.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rkerr @alanhamlett