unset_jwt_cookies now removes csrf tokesn too

Practically, there isn't any security concerns by leaving them set. We don't do any verification on these cookies when they are sent to a protected endpoint, and if we generated new tokens the values in those cookies would be updated. This is just to make sure we are cleaning up after ourselfs (refs #34)
vimalloc · Mar 27, 2017 · 307b36f · 307b36f
1 parent 45628cf
commit 307b36f
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
@@ -455,4 +455,19 @@ def unset_jwt_cookies(response):
                         secure=get_cookie_secure(),
                         httponly=True,
                         path=get_access_cookie_path())
+
+    if get_cookie_csrf_protect():
+        response.set_cookie(get_refresh_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+        response.set_cookie(get_access_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+
     return response