miketang84
commented
1 year ago There is a security problem in the above solution. The session key shouldn't be open, else anyone can construct a fake key to login.
Open miketang84 opened 1 year ago
miketang84
commented
1 year ago There is a security problem in the above solution. The session key shouldn't be open, else anyone can construct a fake key to login.
miketang84
commented
1 year ago A new design is undergoing.
Initial ideas:
Instead of using redis to keep the records of session-key to userid, we put this logic to postgres. So we need to add session management relevant tables in schema.
Why, user may switch the connecting entry point in the network, so the session status must be synced in all network nodes. We can easily reach it by just putting this data into SQL db.
Although some performance cost compared to web2, but so naturally we do this thanks to our brilliant architecture, while the session management is a huge headache in other web 3 solutions.