Browse Source

Append a 'Vary: Cookie' header to the response when the session has been accessed

pull/1026/head
Mihir Singh 11 years ago
parent
commit
671c67aac9
  1. 22
      flask/sessions.py

22
flask/sessions.py

@ -51,6 +51,13 @@ class SessionMixin(object):
#: The default mixin implementation just hardcodes `True` in. #: The default mixin implementation just hardcodes `True` in.
modified = True modified = True
#: the accessed variable indicates whether or not the session object has
#: been accessed in that request. This allows flask to append a `Vary:
#: Cookie` header to the response if the session is being accessed. This
#: allows caching proxy servers, like Varnish, to use both the URL and the
#: session cookie as keys when caching pages, preventing multiple users
#: from being served the same cache.
accessed = True
class TaggedJSONSerializer(object): class TaggedJSONSerializer(object):
"""A customized JSON serializer that supports a few extra types that """A customized JSON serializer that supports a few extra types that
@ -112,9 +119,18 @@ class SecureCookieSession(CallbackDict, SessionMixin):
def __init__(self, initial=None): def __init__(self, initial=None):
def on_update(self): def on_update(self):
self.modified = True self.modified = True
self.accessed = True
CallbackDict.__init__(self, initial, on_update) CallbackDict.__init__(self, initial, on_update)
self.modified = False self.modified = False
self.accessed = False
def __getitem__(self, key):
self.accessed = True
return super(SecureCookieSession, self).__getitem__(key)
def get(self, key, default=None):
self.accessed = True
return super(SecureCookieSession, self).get(key, default)
class NullSession(SecureCookieSession): class NullSession(SecureCookieSession):
"""Class used to generate nicer error messages if sessions are not """Class used to generate nicer error messages if sessions are not
@ -334,6 +350,12 @@ class SecureCookieSessionInterface(SessionInterface):
domain = self.get_cookie_domain(app) domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app) path = self.get_cookie_path(app)
if session.accessed:
response.headers.add('Vary', 'Cookie')
else:
# Delete case. If there is no session we bail early. # Delete case. If there is no session we bail early.
# If the session was modified to be empty we remove the # If the session was modified to be empty we remove the
# whole cookie. # whole cookie.

Loading…
Cancel
Save