search

kentonh / gPanel

A web-hosting control panel written in Go.
MIT License
80 stars 25 forks source link

Use normal sessions instead of gorilla/sessions #129

Closed george-e-shaw-iv closed 6 years ago

george-e-shaw-iv commented 6 years ago

Severity level (1-10):

3

Files/Directories Involved:

pkg/networking/session_store.go pkg/gpaccount/authentication.go pkg/gpserver/authentication.go pkg/api/user/auth.go gpanel.go (context.ClearHandler)

Description:

I think the removal of two different dependencies, gorilla/sessions and gorilla/context is more valuable than what the two packages give to the project given that encrypted JWT tokens are already being used. Right now whats happening is we're encrypting an already encrypted value. It definitely doesn't hurt and it probably makes it really secure, but at a cost that I think I would rather not have.

Using http.Cookie's with empty expire fields will render the same effect as gorilla/sessions does without encrypting them.

Personal Comments:

george-e-shaw-iv commented 6 years ago

If you end up doing this and have golang/dep already installed on your machine you can go ahead and run dep ensure to update the dependencies and remove them after all of the imports for those packages have been removed.

If not I can do it after the PR