The Fix
Upgrade to version 0.12.3 or later.
Based on closed pallets/flask issue #3845 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -208,6 +208,16 @@ The following configuration values are used internally by Flask:
Default: ``False``
+.. py:data:: SESSION_COOKIE_SAMESITE
+
+ Restrict how cookies are sent with requests from external sites. Can
from flask import Flask, session
app = Flask(__name__)
app.secret_key = "dev"
app.config["SESSION_COOKIE_SAMESITE"] = "None"
@app.route("/")
def index():
session["name"] = "test"
return "<p>hello</p>"
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Option A — Upgrade to fixed release\nUpgrade to version 0.12.3 or later.\nWhen NOT to use: This fix is not applicable if the SameSite attribute is not needed for your application.\n\n
Why This Fix Works in Production
- Trigger: 
- Mechanism: The SESSION_COOKIE_SAMESITE attribute was not set correctly in the configuration
- Why the fix works: Added support for the cookie's SameSite attribute in Flask, allowing users to set SESSION_COOKIE_SAMESITE to 'Strict' or 'Lax'. (first fixed release: 0.12.3).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The SESSION_COOKIE_SAMESITE attribute was not set correctly in the configuration
- Production symptom (often without a traceback): 
Proof / Evidence
- GitHub issue: #3845
- Fix PR: https://github.com/pallets/flask/pull/2607
- First fixed release: 0.12.3
- Reproduced locally: No (not executed)
- Last verified: 2026-02-08
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.67
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Then there's something else wrong with your code”
“The literal value None means "not set". Set it to the string "None" to set it to samesite=none.”
“> "None" I have already tried and failed. It's not woking.”
Failure Signature (Search String)
- 
- $ curl -i http://127.0.0.1:5000
Copy-friendly signature
Failure Signature
-----------------
$ curl -i http://127.0.0.1:5000
Error Message
Signature-only (no traceback captured)
Error Message
-------------
$ curl -i http://127.0.0.1:5000
Minimal Reproduction
from flask import Flask, session
app = Flask(__name__)
app.secret_key = "dev"
app.config["SESSION_COOKIE_SAMESITE"] = "None"
@app.route("/")
def index():
session["name"] = "test"
return "<p>hello</p>"
What Broke
Cookies did not include the SameSite attribute, causing cross-site request issues.
Why It Broke
The SESSION_COOKIE_SAMESITE attribute was not set correctly in the configuration
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.12.3 or later.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/pallets/flask/pull/2607
First fixed release: 0.12.3
Last verified: 2026-02-08. Validate in your environment.
When NOT to Use This Fix
- This fix is not applicable if the SameSite attribute is not needed for your application.
Verify Fix
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.12.3 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.