Flask session decorator

[smax17]

Hi, there. I've got some interesting situation. I have cross site request from browser to python flask that establishes flask session and therefore flask sets cookie header "Set-Cookie" with encrypted session key.

However, assuming the request is cross site, the browser refuses to store this cookie and send it afterwards within the next requests.
So, I need to patch this cookie with SameSite='None' property on flask side just before sending it to the client.

AFAIU the last resort to do this - flask @app.after_request hook where I potentially could change the response. But, analyzing the source code of flask I noticed that set cookie by flask framework is happening later than @app.after_request is being triggered.

`for func in ctx._after_request_functions:
response = self.ensure_sync(func)(response)

    for name in chain(request.blueprints, (None,)):
        if name in self.after_request_funcs:
            for func in reversed(self.after_request_funcs[name]):
                response = self.ensure_sync(func)(response)

    if not self.session_interface.is_null_session(ctx.session):
        self.session_interface.save_session(self, ctx.session, response)`

In the snippet above, the save session is placed in the end, as calling 'after_request' functions do not have session cookie yet.

So, my question to community - is it a bug or everything works as planned? Could we potentially change the calling order in flask for such cases?

P.S. I have a solution for now - I did it on my NGINX server proxy, however it's some kind of workaround rather that the solution.
I know it's possible to set SameSite cookie property on all flask app level for all requests, but It's strongly needed for particular request(s).

Thanks in advance.

[davidism]

Use the SESSION_COOKIE_SAMESITE config to set the attribute.

app.config["SESSION_COOKIE_SAMESITE"] = 'None'

[davidism]

The order is intended. after_request functions can modify the response, including the session data. Therefore, saving the session cookie happens last. You can modify how the session is saved by overriding Flask.session_interface with your own subclass of SessionInterface or SecureCookieSessionInterface.