On Tue, 26 Jan 2021 14:42:22 +0000, Terry Coles wrote: > Oh. OK. I understand that is the code the Flask method and not the > code for the Flask Development Server, but surely it's the server > that sets the cookie?
The term 'server' can become a bit muddled here. If you look at it from a browser or HTTP protocol point of view, then the web server and any frameworks that run in it or alongside it, and any code you write that runs in the framework, are taken together to comprise a server. That is how I meant the word "server" in my previous response to this thread, when I said as much as it was the server's prerogative to decide whether a session cookie corresponded to a valid session. If I look at it that way, then I can say "yes, the server sets the cookie". But that doesn't answer your question, because I think you are looking at it from a more server-internal point of view, where Flask, and the Flask code you write, is treated as being a separate thing and not as part of the 'server'. I would say that this is a valid way to use the word 'server'. Looking at it that way, then I would say that, yes, the server sets the cookie, but that is only half the story, because Flask and your code can be the reason why the server ends up setting a cookie. If you were having Flask manage sessions for you, then it would be Flask telling the server to set a cookie. But Ralph is right; the code for flask-httpauth doesn't appear to use sessions or cookies in its implementation of HTTPBasicAuth. So, the fact that clearing browsing data seemed to clear the active log-in has probably been a bit of a red herring, and I have been guilty of being insufficiently curious. I am now given to assume that Chromium is caching the authentication credentials in a manner that survives browser restarts, or perhaps Chromium is not really being fully shut down when you close the browser, and that is why the authentication persists. Maybe when you cleared the browsing data, it was not the clearing of the cookies but the clearing the cache(s) that de-authenticated you. Sorry for any confusion I may have injected. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2021-02-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk