Comments (4)
As mentioned in the other thread, no storage implementation helps if the session details are stolen. The developer needs to implement a feature to allow revoking sessions to provide any mitigation, which is not really related to the storage mechanism.
from aiohttp-session.
Feel free to add some information to the documentation.
The class simply dumps the session data into a cookie as plain text. This makes it easy for development, as you can just look at the cookie in your browser to see what the session contains. But, anybody can put anything in there, so the data can't be trusted (e.g. If you put a user ID in the session, you can just change the ID and identify as any other user without authentication).
The recommend cookie storage encrypts the contents of the session before saving in a cookie. That means the contents can't be manipulated without the key, which should only exist on the server. It could potentially hide sensitive data in the session from the user too.
from aiohttp-session.
See:
https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/__init__.py#L352
vs.
https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/cookie_storage.py#L76
from aiohttp-session.
Thanks @Dreamsorcerer. I understand the encrypted one can prevent from tampering while it does not help if the cookie was stolen.
from aiohttp-session.
Related Issues (20)
- b64_encode needed in README? HOT 2
- Broken session if any json encoded string is placed in cookies? HOT 1
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Test support for local memcached and redis servers HOT 2
- Update aioredis
- Fix tests for Python 3.8+
- aiohttp 3.7 samesite flag voor cookies cant be set HOT 2
- sessions not saved with HTTPExceptions HOT 2
- aiohttp-session docs Source Code bug tracker link is pointing to the wrong repository
- aiohttp_session not save_session for manualy created new_session HOT 1
- session fails silently with large inputs HOT 6
- Can't retrieve value from session after raise HTTPFound HOT 3
- Bump aioredis version to +2.x HOT 1
- session not saved with web.FileResponse HOT 3
- Solution for EncryptedCookieStorage 32 bytes limit length!!! HOT 1
- Please support using redis.asyncio HOT 1
- Running tests locally [question] HOT 3
- Update documentation for the redis module HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp-session.