Open danielgron opened 2 months ago
Looks like it is a non-issue.
It seems all information is stored in the cookie, meaning the server does not have session state. Final confirmation would be nice though.
The session library states that it uses the securecookie library for storing the session.
According to this post the securecookie library is meant to encrypt/decrypt the session cookie at server-side but stores the session on the client: https://security.stackexchange.com/questions/86465/the-purpose-of-securecookie-package-from-gorilla
Sessions are currently handled in memory. This means if we scale, requests can end up on a node that doesn't have the session stored.
Solution? Store session in DB? JWT tokens? ?...