Hardcoded Session Secret

datarhei / restreamer

The Restreamer is a complete streaming server solution for self-hosting. It has a visually appealing user interface and no ongoing license costs. Upload your live stream to YouTube, Twitch, Facebook, Vimeo, or other streaming solutions like Wowza. Receive video data from OBS and publish it with the RTMP and SRT server.

https://docs.datarhei.com/restreamer/

Apache License 2.0

3.92k stars 448 forks source link

Hardcoded Session Secret #1

Closed TimWolla closed 8 years ago

TimWolla commented 8 years ago

I noticed that you use the example session secret of express-session: https://github.com/datarhei/restreamer/blob/5252445ec9c0f0383fcc7bd5cbb3b4b316a6d860/src/webserver/app.js#L44

You should generate a random secret during the first run, otherwise it is possible to tamper with the session information.

christophjohannsdotter commented 8 years ago

Hi,

i created a branch with the modification you suggested: https://github.com/datarhei/restreamer/commit/a05e2bf1636ce41e4d98361b8251ac51a906b368

Would you solve it the same way?

Chris

TimWolla commented 8 years ago

Would you solve it the same way?

This will destroy every session on a server restart. Depends on whether you want that. Apart from that it looks fine to me (but I am not entirely sure whether 512 bit is too much, you should be fine with 128 bit, but don't quote me on that).

TimWolla commented 8 years ago

Also: The issue ID in your commit message is wrong.

christophjohannsdotter commented 8 years ago

yes just noticed that :smiley_cat: thanks for your help.