[Flask] Flask-Security authentication in JS

Federico Delgado Doyle fededelgado at outlook.com
Thu Sep 3 18:36:51 CEST 2015


That means the cookie won't be accesible through document.cookie on javascript.
But the roundtrip is still there, no manual intervention required. At least that is how it works for me.
From: fededelgado at outlook.com
To: krzysztof.sikorski at zerozero.pl; connollymorg at gmail.com
Date: Thu, 3 Sep 2015 09:28:47 -0700
Subject: Re: [Flask] Flask-Security authentication in JS
CC: flask at python.org




HttpOnly will stop client javascript from messing with the cookie (like getting a copy of it) but it will be transmitted transparently to the server. Same thing for secure cookies, they will be transmitted but only to secure (https) sites.

Date: Thu, 3 Sep 2015 15:11:48 +0200
From: krzysztof.sikorski at zerozero.pl
To: connollymorg at gmail.com
CC: fededelgado at outlook.com; flask at python.org
Subject: Re: [Flask] Flask-Security authentication in JS



On 2015-09-03 08:55, Morgan Connolly wrote:


I didn't know that the browser would transmit cookies even if I used JavaScript, having never worked on a dynamic website before. I just tried adding the JavaScript, and without having to do any other work, it works how I want it to. 


You were lucky. Cookies can be set with a "httponly" flag, which prevents JavaScript from seeing them. Looks like default Flask configuration does not set that flag.
 		 	   		  

_______________________________________________
Flask mailing list
Flask at python.org
https://mail.python.org/mailman/listinfo/flask 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20150903/2a7483a1/attachment-0001.html>


More information about the Flask mailing list