python - Why does the session cookie work when serving from a domain but not when using an IP?

10
votes

I have a Flask application with sessions that works well on my local development machine. However, when I try to deploy it on an Amazon server, sessions do not seem to work.

More specifically, the session cookie is not set. I can, however, set normal cookies. I made sure I have a static secure key, as others have indicated that might be an issue. The only difference is in how the server is set up. During development, I use

app.run()

to run locally. When deployed, I use

app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
app.run(host='0.0.0.0', port=80)

I suspect the problem might be in the above, but am not completely certain.

The session does seem to work on Firefox, but not Chrome.

The following small application demonstrates the problem, with the configuration differences at the bottom:

from flask import Flask, make_response, request, session

app = Flask(__name__)
app.secret_key = 'secretKey'

# this is to verify that cookies can be set
@app.route('/setcookie')
def set_cookie():
    response = make_response('Cookie set')
    response.set_cookie('cookie name', 'cookie value')
    return response

@app.route('/getcookie')
def get_cookie():
    if 'cookie name' in request.cookies:
        return 'Cookie found. Its value is %s.' % request.cookies['cookie name']
    else:
       return 'Cookie not found'

# this is to check if sessions work
@app.route('/setsession')
def set_session():
    session['session name'] = 'session value'
    return 'Session set'

@app.route('/getsession')
def get_session():
    if 'session name' in session:
        return 'Session value is %s.' % session['session name']
    else:
        return 'Session value not found'

if __name__ == '__main__':
    app.debug = True

    # windows, local development
    #app.run()  

    # Ubuntu
    app.config['SERVER_NAME'] = '12.34.56.78'  # <-- insert a "real" IP
    app.run(host='0.0.0.0', port=80)
3
pythonsessioncookiesflask

3 Answers

18
votes

This is a "bug" in Chrome, not a problem with your application. (It may also affect other browsers as well if they change their policies.)

RFC 2109, which describes how cookies are handled, seems to indicate that cookie domains must be an FQDN with a TLD (.com, .net, etc.) or be an exact match IP address. The original Netscape cookie spec does not mention IP addresses at all.

The Chrome developers have decided to be more strict than other browsers about what values they accept for cookie domains. While at one point they corrected a bug that prevented cookies on IP addresses, they have apparently backpedaled since then and don't allow cookies on non-FQDN domains (including localhost) or IP addresses. They have stated they will not fix this, as they do not consider it a bug.

The reason "normal" cookies are working but the session cookie is not is that you are not setting a domain for the "normal" cookies (it's an optional parameter), but Flask automatically sets the domain for the session cookie to the SERVER_NAME. Chrome (and others) accept cookies without domains and auto-set them to the domain of the response, hence the observed difference in behavior. You can observer normal cookies failing if you set the domain to the IP address.

During development, you can get around this by running the app on localhost rather than letting it default to 127.0.0.1. Flask has a workaround that won't send the domain for the session cookie if the server name is localhost. app.run('localhost')

In production, there aren't any real solutions. You could serve this on a domain rather than an IP, which would solve it but might not be possible in your environment. You could mandate that all your clients use something besides Chrome, which isn't practical. Or you could provide a different session interface to Flask that does the same workaround for IPs that it already uses for localhost, although this is probably insecure in some way.

Chrome does not allow cookies with IPs for the domain, and there is no practical workaround.

2
votes

It is possible to create session in the Chrome browser using IP.

My config file has these configurations:

    SERVER_NAME = '192.168.0.6:5000'
    SESSION_COOKIE_DOMAIN = '192.168.0.6:5000'

It allowed me to use a local virtual machine and the cookie worked perfectly on Chrome, without the need for a local FQDN.

1
votes

Notice that in the workaround for localhost that @davidism posted -- https://github.com/mitsuhiko/flask/blob/master/flask/sessions.py#L211-L215 , you can patch the Flask code and change if rv == '.localhost': rv = None to simply rv = None and then the cookie domain won't be set and your cookies will work.

You wouldn't want to do this on a real production app, but if your server is just some kind of testing/staging server without sensitive data it might be fine. I just did this to test an app over a LAN on a 192.168.x.x address and it was fine for that purpose.