Stateless session mechanism is non-standard and uses insecure cryptographic functions

JiangKlijna / web-shell

A terminal running on a web server:fireworks::sparkler:

GNU General Public License v3.0

27 stars 10 forks source link

Stateless session mechanism is non-standard and uses insecure cryptographic functions #4

Closed twitchyliquid64 closed 1 year ago

twitchyliquid64 commented 1 year ago

See: https://github.com/JiangKlijna/web-shell/blob/ebd1b450cb25b282cb3dd5939afeb88b2974179f/lib/generate.go

This is extremely scary from a security perspective, and rather unnecessary (could be done securely + easily with PASETO tokens like https://github.com/aidantwoods/go-paseto).

Would you accept a PR to switch the login logic to use PASETO?

JiangKlijna commented 1 year ago

Of course, I'm glad to accept.