Closed tabebqena closed 3 years ago
The Flask-Login extension is good for doing stateful authentication, while Flask-HTTPAuth is better for stateless auth. They don't have the same purpose, and one cannot easily replace the other. I haven't really thought about the use of Flask-HTTPAuth with cookies, and even less with the session cookie. I can't say that it is not going to work, but what I can tell you with certainty is that it is not a design goal of this project to do what Flask-Login does.
I just had a glance at RFC 6750 on "The OAuth 2.0 Authorization Framework: Bearer Token Usage". The RFC has the following recommendation :
Don't store bearer tokens in cookies: Implementations MUST NOT store bearer tokens within cookies that can be sent in the clear (which is the default transmission mode for cookies). Implementations that do store bearer tokens in cookies MUST take precautions against cross-site request forgery.
I want to use this extension as a replacement of
flask-login
. I believe that I can useHTTPTokenAuth
but I need to store the generated token in the session cookies.On each upcoming request, I will read the cookies and apply authentication by its value.
Is this approach safe? Does this extension have any other implementation to authenticate the browser requests?