Closed TheRealThor closed 2 years ago
pixelmund
commented
2 years ago Hm good question, i think it should be safe to expose these values but i'm in no means a security expert. What you can do is to only expose the data you need on the client via getSession, i always have some public data that i expose via getSession and private session data which i only use in my endpoints, handle etc. also i always use a secret thats > 32 characters or even 64.
TheRealThor
commented
2 years ago You are right. On top that, data from the session (the cookie) to be processed in the backend should have low trust since it remains essentially user input.
Do you use any ready made stuff for handling the server session ?:)
pixelmund
commented
2 years ago I'm using prisma and only storing the sessionId in the cookie. I can probably share some best practices in the future, currently working something out.
jtlapp
commented
2 years ago So is the purpose of providing a secret key to sign the session data, rather than to encrypt it?
evdama
commented
2 years ago I'm using prisma and only storing the sessionId in the cookie. I can probably share some best practices in the future, currently working something out.
So this way it's becoming a statefull solution right? Storing an ID inside the cookie, then use this ID to do a lookup in a database serverside? I'm thinking of doing something like that as well, using firestore as a database... When you say best practices, what do you mean exactly?
I played around with the plugin and and works smoothly. Nice work! But I have a question about the encryption. All the session data is exposed to the pages in clear text in early readable in the code when looking for "session". Could an attacker not by comparing encrypted and plaintext values compute the encryption key if he just takes enough time?
I tried to google it with AES encryption but results were inconclusive besides this this