[Flask] Flask-Security authentication in JS

Federico Delgado Doyle fededelgado at outlook.com
Thu Sep 3 18:28:47 CEST 2015


HttpOnly will stop client javascript from messing with the cookie (like getting a copy of it) but it will be transmitted transparently to the server. Same thing for secure cookies, they will be transmitted but only to secure (https) sites.

Date: Thu, 3 Sep 2015 15:11:48 +0200
From: krzysztof.sikorski at zerozero.pl
To: connollymorg at gmail.com
CC: fededelgado at outlook.com; flask at python.org
Subject: Re: [Flask] Flask-Security authentication in JS



On 2015-09-03 08:55, Morgan Connolly wrote:


I didn't know that the browser would transmit cookies even if I used JavaScript, having never worked on a dynamic website before. I just tried adding the JavaScript, and without having to do any other work, it works how I want it to. 


You were lucky. Cookies can be set with a "httponly" flag, which prevents JavaScript from seeing them. Looks like default Flask configuration does not set that flag.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20150903/29b85f4a/attachment.html>


More information about the Flask mailing list