danielgron
commented
2 months ago Looks like it is a non-issue.
It seems all information is stored in the cookie, meaning the server does not have session state. Final confirmation would be nice though.
Open danielgron opened 2 months ago
danielgron
commented
2 months ago Looks like it is a non-issue.
It seems all information is stored in the cookie, meaning the server does not have session state. Final confirmation would be nice though.
rasmus-bn
commented
2 months ago The session library states that it uses the securecookie library for storing the session.
According to this post the securecookie library is meant to encrypt/decrypt the session cookie at server-side but stores the session on the client: https://security.stackexchange.com/questions/86465/the-purpose-of-securecookie-package-from-gorilla
Sessions are currently handled in memory. This means if we scale, requests can end up on a node that doesn't have the session stored.
Solution? Store session in DB? JWT tokens? ?...