Closed dvstans closed 3 years ago
This has been fixed using nodejs express-session. No user account information is exposed to the client - only a session ID. The web server maintains only what session data is needed to use the api and/or register a new user. Session data is stored in memory - may need to investigate a mechanism for flushing old session data if memory gets low (the session cookie is good for a week).
This weakness of the web service was overlooked somehow, but the ID of the user is the only parameter needed to access the web API. This information was stored in a cookie, but users can easily modify the contents of the cookies to spoof the ID of another DataFed user. Cookies must continue to be used, but the contents must be secured. There are a number of solutions: