New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to server-side sessions #1783
Conversation
The rationale is that the attacker doesn't have the password... and that doing it this way we avoid creating useless sessions
Thanks for submitting this pull request. bors try Note: if this build fails, read this. |
tryBuild failed: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's missing a newsfragment (to later generate the changelog), otherwise seems fine.
Should we backport this? |
I'm not sure how to phrase it... that's why I've left it out. Feel free to improve upon it :) |
I'd say yes... but we may want to wait until it gets some additional field testing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me. It is nice we can prevent replay attacks with this. This will make mailu more secure.
If this functionality does not work properly, we must not forget to revert the backport.
Fortunately test.mailu.io will be automatically updated later today. So we can already test via test.mailu.io.
However we should also test mailu 1.8.
bors r+ |
Build succeeded: |
What type of PR?
bug-fix
What does this PR do?
It simplifies session management.
It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.