Configuring Cookie Security Policies

To configure cookie security policies in this project, you update the application's configuration dictionary. The SessionInterface uses these values through specific getter methods to apply security attributes like Secure, HttpOnly, SameSite, and Partitioned when saving the session cookie.

Basic Security Configuration

You can set the standard security flags by updating the SESSION_COOKIE_HTTPONLY and SESSION_COOKIE_SECURE configuration keys.

from flask import Flask

app = Flask(__name__)

# Prevent JavaScript from accessing the session cookie
app.config["SESSION_COOKIE_HTTPONLY"] = True

# Ensure the cookie is only sent over HTTPS
app.config["SESSION_COOKIE_SECURE"] = True

# Set a specific domain and path
app.config["SESSION_COOKIE_DOMAIN"] = ".example.com"
app.config["SESSION_COOKIE_PATH"] = "/"

The SessionInterface retrieves these values using the following methods during the save_session process:

get_cookie_httponly(app): Returns the value of SESSION_COOKIE_HTTPONLY.
get_cookie_secure(app): Returns the value of SESSION_COOKIE_SECURE.
get_cookie_domain(app): Returns the value of SESSION_COOKIE_DOMAIN.
get_cookie_path(app): Returns the value of SESSION_COOKIE_PATH (falls back to APPLICATION_ROOT).

Configuring SameSite and Partitioned Attributes

For modern browser security, you can configure the SameSite and Partitioned (CHIPS) attributes.

app.config.update(
    # Restrict cookie to first-party or top-level navigation contexts
    SESSION_COOKIE_SAMESITE="Lax",
    
    # Enable cookie partitioning for cross-site contexts (requires Secure=True)
    SESSION_COOKIE_PARTITIONED=True,
    SESSION_COOKIE_SECURE=True 
)

SameSite Policies

The get_cookie_samesite(app) method reads the SESSION_COOKIE_SAMESITE config. Valid values are:

"Strict": The cookie is only sent in a first-party context.
"Lax": The cookie is sent with safe top-level navigations (default in most modern browsers).
None: The SameSite attribute is not set on the cookie.

Partitioned Cookies (CHIPS)

The get_cookie_partitioned(app) method reads SESSION_COOKIE_PARTITIONED. When set to True, the cookie is stored using partitioned storage, which is useful when the application is embedded in an <iframe> across different sites.

Customizing Policy Retrieval

If you need to implement dynamic security policies (e.g., based on the request headers), you can override the getter methods in a custom SessionInterface.

from flask.sessions import SecureCookieSessionInterface

class CustomSessionInterface(SecureCookieSessionInterface):
    def get_cookie_secure(self, app):
        # Example: Dynamically require Secure based on custom logic
        return super().get_cookie_secure(app) or app.config.get("FORCE_HTTPS", False)

app.session_interface = CustomSessionInterface()

Troubleshooting

Invalid SameSite Values

If SESSION_COOKIE_SAMESITE is set to a value other than "Lax", "Strict", or None, Flask will raise a ValueError when attempting to set the cookie.

# This will cause a ValueError during request processing
app.config["SESSION_COOKIE_SAMESITE"] = "invalid"

Partitioned Cookies Requirement

While the SessionInterface allows setting SESSION_COOKIE_PARTITIONED independently, most browsers require the Secure flag to be True for Partitioned cookies to be accepted. Ensure SESSION_COOKIE_SECURE=True is set when using partitioning.

Domain Fallback Changes

As of version 2.3, get_cookie_domain(app) no longer falls back to SERVER_NAME if SESSION_COOKIE_DOMAIN is not set. If you require a specific domain, you must explicitly define it in the configuration.

Basic Security Configuration​

Configuring SameSite and Partitioned Attributes​

SameSite Policies​

Partitioned Cookies (CHIPS)​

Customizing Policy Retrieval​

Troubleshooting​

Invalid SameSite Values​

Partitioned Cookies Requirement​

Domain Fallback Changes​