waxlamp
commented
4 years ago This looks interesting. Can you point me to where it lets you do encryption? It seems like it's specifically meant for signing data, rather than encrypting it.
More than anything else, I found this bit interesting:
Signed objects can be stored in cookies or other untrusted sources which means you don’t need to have sessions stored on the server, which reduces the number of necessary database queries.
That relates to the conversation we had yesterday--if this is true and easy to do, then we don't have to come up with a database schema for storing multiple sessions per user on the serverside.
jjnesbitt
Currently, we use the flask
sessionobject to store cookies. This gives us the advantage of automatically having a cryptographically signed dictionary that stores any cookies we'd like to store. Because this cookie is signed and not encrypted, it means that the contents of the cookies can't be tampered with, but the value of the cookie is still be visible to the user who holds it (all they have to do is decode the cookie, which is a base64 encoded string).This isn't really an issue, as we're using https, and once https://github.com/multinet-app/multinet-server/pull/380 is merged, only trusted domains can make requests to the server, and the cookie is HTTP only anyway, meaning the browser shields its value from javascript. However, if for some reason we find it necessary to encrypt this cookie, we could do that as well. I recently found a library called itsdangerous, which provides an interface to encrypt dictionaries.
This means that only the server can actually read the data stored in the browser cookie (for which we'd probably use
FLASK_SECRET_KEYas a key), and the user is just carrying around a cookie with useless data.I'm not saying we should do this, but I found this library interesting and just wanted to put the idea out there.