Sessions module is insecure #5
Comments
|
I agree, I'm still undecided on how to handle config settings, however. What do you think the best way supply the key would be?
I've update the repositories under the gaego organization to the new Gorilla repositories |
|
I believe the best course of action would be:
This will probably require a rewrite of the API for the sessions, though, as you currently don't seem to be able to do that at initialization. What do you think of this? |
|
That sound good. The difficult part -- I think -- is step #1 opening a transaction. Ideally we could just put this logic in the To circumvent this limitation I believe the options would be:
What do you think? Is there a better way to handle this? |
|
I'm wondering if you actually have to have a valid context. If I remember correctly, the Python runtime is able to do datastore operations at instance startup. I'm going to mess around with some code and test it out. After that I'll come back and write the pros and cons of all of the options. |
|
It seems that the Go runtime uses the Context (in datastore operations, at least) for the current app's ID (ID is passed to the runtime via HTTP headers.) The Python protobuffer instances have an _app property, but I can't figure out where it's being set. In both instances the app ID seems to be required for a datastore RPC. |
|
First of all, I think I should clarify how I believe we would set it up to use a Config:
I don't believe that storing a hard-coded configuration is a very good idea at all for many reasons, primarily that it requires you to either use the same configuration for production and development or change it any time you wish to deploy. |
|
That sounds good it solves that problem of need the request object. A few questions:
|
I believe they should be randomly generated, but only if the Get of the Config fails. |
|
Good point. OK, I'm convenced. Do you mind making the change? You should have full write access to gaego/session. I really appreciate all of your contributions. |
I'll begin work on it today or tomorrow. :) |
|
I believe I've thought of an easier-to-maintain iteration of essentially the same idea. What if, instead of mocking the entire sessions package, we made a function that returned an initialized session store? It seems to make more sense and still allows us to do all of the initialization easily. |
|
Sure, that could work. Which ever you think would make the api easiest to use. I think it's alright to be opinionated and only offer one type of store, by removing the configuration all we really need are the import "github.com/gaego/session"
func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a session and set a value.
sess1, _ := session.Get(r, "session-one")
sess1.Values["foo"] = "bar"
// Get another session and set another value.
sess2, _ := session.Get(r, "session-two")
sess2.Values[42] = 43
// Save all sessions.
session.Save(r, w)
}I apologize if I'm overlooking looking something, it's been a while since I've thought about sessions. |
|
I was thinking more of: import "github.com/gaego/session"
func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a store (this initializes the store keys and/or store if necessary)
store := session.GetStore(w, r)
// Get a session and set a value.
sess1, _ := store.Get(r, "session-one")
sess1.Values["foo"] = "bar"
// Get another session and set another value.
sess2, _ := store.Get(r, "session-two")
sess2.Values[42] = 43
// Save all sessions.
store.Save(r, w)
} |
|
Looks good to me :) |
|
I've created a branch named |
The sessions module is currently insecure due to its fixed key. This should probably be fixed. (It should more than likely be supplied with both keys so that it uses encryption, as noted in the documentation.)
You should probably also change it to use the new Gorilla repositories.
The text was updated successfully, but these errors were encountered: