9

I have found a very strange problem in my Flask application. I discovered that in some circumstances multiple session cookies could be created with the same name. I attached a picture about it. It is not browser specific.

enter image description here

It is strange itself, but the real problem comes when I try to validate a form with CSRF token. Unfortunately, Flask picks a wrong session cookie and the validation of the CSRF token cannot be successful. And even more strangely the problem persists even after multiple form submits. The only solution is deleting the cookies which is not an option for an average user.

Are there any options to prevent Flask to create cookies with the same name? Or at least is there an option for get all cookie names from my application? In this case at least I would able to delete session cookies with the same name.

B--rian
  • 5,578
  • 10
  • 38
  • 89
igoemon
  • 177
  • 2
  • 15
  • 1
    Add headers also in your screenshot, so its easier to see the problem – Tarun Lalwani May 05 '20 at 19:59
  • How are you running your app in production, with a WSGI layer or with the built-in Flask dev server? When the dev server runs in debug mode it starts a second instance which watches for changes, I could see this potentially causing issues in production since this server is really single-request-only and could be crossing over values. Can you update the post with your stack details? – vulpxn May 06 '20 at 00:12
  • The project is under development. A few times I runned it with gunicorn (gunicorn -c gunicorn_config.py --bind 127.0.0.1:5070 wsgi:app), but most of the times I use the Flask dev server: FLASK_APP=server.py FLASK_ENV=development flask run --port 5070 I have a guess what caused the problem: there was a parallel AJAX request when a form was submitted. I fixed this bug and now my "problem" is that I can't reproduce this unusual behavior. – igoemon May 06 '20 at 10:12
  • 1
    It also could be a good question that how is possible to create session cookies with the same name intentionally? I mean from application not with some kind of cookie editor. I've never seen such a thing before. – igoemon May 06 '20 at 10:34
  • Without headers and/or cookie context, it is hard to determine what is going on. How do the cookies differ from each other? – B--rian May 12 '20 at 14:03
  • `Flask picks a wrong session cookie and the validation of the CSRF token cannot be successful` Where does this happen in the flask code? – azmeuk Dec 29 '20 at 10:14

1 Answers1

0

Without code, it is hard to tell where Flask generates multiple cookies with the same name, but it is possible that you let the cookie live to long, please see Flask: How to remove cookies? to deal with this issue.

If I understand you correctly, another main issue is [comment by me]:

Flask picks a wrong session cookie [of multiple ones with the same name]

Picking the wrong cookie from multiple ones with the same name is not Flask-specific, but rather about the logic used by client/ browser, see e.g. How to handle multiple cookies with the same name?

B--rian
  • 5,578
  • 10
  • 38
  • 89