fix: session cookie options for HTTP (insecure override + auto secure)
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -55,6 +55,40 @@ login_manager = LoginManager()
|
||||
csrf = CSRFProtect()
|
||||
|
||||
|
||||
def _apply_session_cookie_settings(app: Flask) -> None:
|
||||
"""Secure Cookie 仅在浏览器用 https:// 访问时才有意义;用 http://IP:端口 时若仍设 Secure,浏览器会丢弃会话,表现为登录后立即回到登录页。"""
|
||||
if os.environ.get("NAV_COOKIES_INSECURE_HTTP") == "1":
|
||||
app.config["SESSION_COOKIE_SECURE"] = False
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = False
|
||||
if (os.environ.get("NAV_SESSION_COOKIE_SECURE") or "").strip().lower() in (
|
||||
"1",
|
||||
"true",
|
||||
"yes",
|
||||
):
|
||||
print(
|
||||
"[nav] NAV_COOKIES_INSECURE_HTTP=1:已关闭 Secure Cookie,便于 http:// 内网访问。",
|
||||
flush=True,
|
||||
)
|
||||
return
|
||||
|
||||
mode = (os.environ.get("NAV_SESSION_COOKIE_SECURE") or "0").strip().lower()
|
||||
if mode in ("1", "true", "yes"):
|
||||
app.config["SESSION_COOKIE_SECURE"] = True
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = True
|
||||
elif mode == "auto":
|
||||
app.config["SESSION_COOKIE_SECURE"] = False
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = False
|
||||
|
||||
@app.before_request
|
||||
def _nav_session_cookie_secure_auto():
|
||||
sec = request.is_secure
|
||||
app.config["SESSION_COOKIE_SECURE"] = sec
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = sec
|
||||
else:
|
||||
app.config["SESSION_COOKIE_SECURE"] = False
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = False
|
||||
|
||||
|
||||
def create_app() -> Flask:
|
||||
app = Flask(__name__)
|
||||
app.config["SECRET_KEY"] = os.environ.get("NAV_SECRET_KEY") or secrets.token_hex(32)
|
||||
@@ -64,9 +98,7 @@ def create_app() -> Flask:
|
||||
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
|
||||
app.config["WTF_CSRF_TIME_LIMIT"] = None
|
||||
|
||||
if os.environ.get("NAV_SESSION_COOKIE_SECURE") == "1":
|
||||
app.config["SESSION_COOKIE_SECURE"] = True
|
||||
app.config["REMEMBER_COOKIE_SECURE"] = True
|
||||
_apply_session_cookie_settings(app)
|
||||
|
||||
trusted = os.environ.get("NAV_CSRF_TRUSTED_ORIGINS", "").strip()
|
||||
if trusted:
|
||||
|
||||
Reference in New Issue
Block a user