show warning if session cookie domain is ip

closes #2007

flask/helpers.py

@@ -976,3 +976,23 @@ def total_seconds(td):
     :rtype: int
     """
     return td.days * 60 * 60 * 24 + td.seconds
+
+def is_ip(ip):
+    """Returns the if the string received is an IP or not.
+
+    :param string: the string to check if it an IP or not
+    :param var_name: the name of the string that is being checked
+
+    :returns: True if string is an IP, False if not
+    :rtype: boolean
+    """
+    import socket
+
+    for family in (socket.AF_INET, socket.AF_INET6):
+        try:
+            socket.inet_pton(family, ip)
+        except socket.error:
+            pass
+        else:
+            return True
+    return False

flask/sessions.py

@@ -11,13 +11,14 @@
 
 import uuid
 import hashlib
+from warnings import warn
 from base64 import b64encode, b64decode
 from datetime import datetime
 from werkzeug.http import http_date, parse_date
 from werkzeug.datastructures import CallbackDict
 from . import Markup, json
 from ._compat import iteritems, text_type
-from .helpers import total_seconds
+from .helpers import total_seconds, is_ip
 
 from itsdangerous import URLSafeTimedSerializer, BadSignature
 
@@ -336,6 +337,9 @@ class SecureCookieSessionInterface(SessionInterface):
 
     def save_session(self, app, session, response):
         domain = self.get_cookie_domain(app)
+        if domain is not None:
+            if is_ip(domain):
+                warnings.warn("IP introduced in SESSION_COOKIE_DOMAIN", RuntimeWarning)
         path = self.get_cookie_path(app)
 
         # Delete case.  If there is no session we bail early.