FelixHuberFX
commented
6 years ago Instead of using the default cookiestore method, the sessions are now being stored in the mysql database. This solves the first issue.
Open mr-ma opened 6 years ago
FelixHuberFX
commented
6 years ago Instead of using the default cookiestore method, the sessions are now being stored in the mysql database. This solves the first issue.
In taxonomy server there is a hardcoded string for session encryption key. This is the same string as in the documentation of the scs library. So, chances are high that attackers already try this out to defeat the session management.
var sessionManager = scs.NewCookieManager("u46IpCV9y5Vlur8YvODJEhgOY8m9JVE4")Also, the session is not being used in the secure mode. We need to uncomment the following line and test the service.
//sessionManager.Secure(true)