Store tokens in the session cookies.

miguelgrinberg / Flask-HTTPAuth

Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

MIT License

1.27k stars 228 forks source link

Store tokens in the session cookies. #128

Closed tabebqena closed 3 years ago

tabebqena commented 3 years ago

I want to use this extension as a replacement of flask-login. I believe that I can use HTTPTokenAuth but I need to store the generated token in the session cookies.

On each upcoming request, I will read the cookies and apply authentication by its value.

Is this approach safe? Does this extension have any other implementation to authenticate the browser requests?

miguelgrinberg commented 3 years ago

The Flask-Login extension is good for doing stateful authentication, while Flask-HTTPAuth is better for stateless auth. They don't have the same purpose, and one cannot easily replace the other. I haven't really thought about the use of Flask-HTTPAuth with cookies, and even less with the session cookie. I can't say that it is not going to work, but what I can tell you with certainty is that it is not a design goal of this project to do what Flask-Login does.

fconil commented 3 years ago

I just had a glance at RFC 6750 on "The OAuth 2.0 Authorization Framework: Bearer Token Usage". The RFC has the following recommendation :

Don't store bearer tokens in cookies: Implementations MUST NOT store bearer tokens within cookies that can be sent in the clear (which is the default transmission mode for cookies). Implementations that do store bearer tokens in cookies MUST take precautions against cross-site request forgery.