Generate valid session-cookie-path(s) (fix for #3459)

2026-05-22 21:32:11 +00:00 · 2026-01-18 15:38:44 +01:00
parent cf3b619c73
commit c13eac91c8
3 changed files with 12 additions and 35 deletions
@@ -25,7 +25,8 @@ import sys
 import os
 import mimetypes

-from flask import Flask
+from flask import Flask, request
+from flask.sessions import SecureCookieSessionInterface
 from .MyLoginManager import MyLoginManager
 from flask_principal import Principal

@@ -114,8 +115,14 @@ if limiter_present:
 else:
    limiter = None

+class ScriptNameSessionInterface(SecureCookieSessionInterface):
+    def get_cookie_path(self, app):
+        # Called once per response, after request context exists
+        return app.wsgi_app.script_name.rstrip("/") or "/"
+

 def create_app():
+    app.session_interface = ScriptNameSessionInterface()
    if csrf:
        csrf.init_app(app)

@@ -7,7 +7,6 @@ from flask import abort
 from flask import current_app
 from flask import flash
 from flask import g
-from flask import has_app_context
 from flask import redirect
 from flask import request
 from flask import session
@@ -469,7 +468,7 @@ class LoginManager:
        config = current_app.config
        cookie_name = config.get("REMEMBER_COOKIE_NAME", COOKIE_NAME)
        domain = config.get("REMEMBER_COOKIE_DOMAIN")
-        path = config.get("REMEMBER_COOKIE_PATH", "/")
+        path = config.get("REMEMBER_COOKIE_PATH", current_app.wsgi_app.script_name)

        secure = config.get("REMEMBER_COOKIE_SECURE", COOKIE_SECURE)
        httponly = config.get("REMEMBER_COOKIE_HTTPONLY", COOKIE_HTTPONLY)
@@ -520,36 +519,5 @@ class LoginManager:
        config = current_app.config
        cookie_name = config.get("REMEMBER_COOKIE_NAME", COOKIE_NAME)
        domain = config.get("REMEMBER_COOKIE_DOMAIN")
-        path = config.get("REMEMBER_COOKIE_PATH", "/")
+        path = config.get("REMEMBER_COOKIE_PATH", current_app.wsgi_app.script_name)
        response.delete_cookie(cookie_name, domain=domain, path=path)
-
-    @property
-    def _login_disabled(self):
-        """Legacy property, use app.config['LOGIN_DISABLED'] instead."""
-        import warnings
-
-        warnings.warn(
-            "'_login_disabled' is deprecated and will be removed in"
-            " Flask-Login 0.7. Use 'LOGIN_DISABLED' in 'app.config'"
-            " instead.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-
-        if has_app_context():
-            return current_app.config.get("LOGIN_DISABLED", False)
-        return False
-
-    @_login_disabled.setter
-    def _login_disabled(self, newvalue):
-        """Legacy property setter, use app.config['LOGIN_DISABLED'] instead."""
-        import warnings
-
-        warnings.warn(
-            "'_login_disabled' is deprecated and will be removed in"
-            " Flask-Login 0.7. Use 'LOGIN_DISABLED' in 'app.config'"
-            " instead.",
-            DeprecationWarning,
-            stacklevel=2,
-        )
-        current_app.config["LOGIN_DISABLED"] = newvalue
@@ -61,11 +61,13 @@ class ReverseProxied(object):

    def __call__(self, environ, start_response):
        self.proxied = False
+        self.script_name = "/"
        script_name = environ.get('HTTP_X_SCRIPT_NAME', '')
        if script_name:
            self.proxied = True
            environ['SCRIPT_NAME'] = script_name
            path_info = environ.get('PATH_INFO', '')
+            self.script_name = script_name
            if path_info and path_info.startswith(script_name):
                environ['PATH_INFO'] = path_info[len(script_name):]