Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Also why would anyone store and read data like { 'groups': [...] } on the client-side? Session cookies are supposed to be identifiers only, with the data stored server-side.


By default sessions in Flask are stored in plaintext:

> This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.


That's precisely why the cookie should just be an identifier, that you look up group info from the database. Because you can guarantee the cookie contents will be modified by someone at some point. Make it useful to you, useless to them.


By default flask doesnt have a db. There is flask-sessions extensiom that does this for you.


Or you can just link to a DB directly. A Flask app is just a WSGI app. You can mount and extend it with any kind of Python, no extension necessary.


That's what the extension does for you.


Can't session data be stored on disk? that's the default PHP behavior.


Because you might have multiple webservers.


There are solutions for that: Shared NAS, sticky sessions etc.


Good luck with maintaining that NAS. Your sticky sessions will logout all users on a server that goes down. It's better to have a db.

Please stop.


Of course it's better to have a db doh... I'm replying to your

> By default flask doesnt have a db.


People don't have NAS laying around. And don't use a filesystem as a db, especially a remote filesystem.


The cookie contents can be changed only if you know the secret config.


Or if you can bruteforce the secret, or if there's a vulnerability in the secret, or if... You're relying on the fact that the cryptography will be impregnable, rather than adopting an actual security posture.

Do not trust the data you send to a user, to remain secure.


And you're relying on security through obscurity.


No. It's relying on both cryptography, and the inaccessiblity of information. Which is a tried, practiced, and often federally mandated, method of security. Controlling who has access to information is sorta security 101. Don't dump your database to the Internet.

Security through obscurity is allowing REST commands to the /totallysecretaddress/neverleaked/ URI.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: