Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Either make it stateless, or allow persistent storage #43

Closed
fluffy-critter opened this issue Oct 30, 2019 · 2 comments

Comments

@fluffy-critter
Copy link
Contributor

@fluffy-critter fluffy-critter commented Oct 30, 2019

On cloud-based deployments like Heroku, and on load balancers (I repeat myself), there's not currently any way for state to be preserved across process boundaries; all of the state is stored in an ExpiringDict.

It would be better to go back to storing the state value in an itsdangerous-signed token, which was the original design and is generally safe (modulo the concern of replay attacks, which is mitigated by making the signature expire anyway).

Alternately, allow for a persistent backing store for the state tokens, but that's got a lot of other implications to worry about and should only be a last resort.

@fluffy-critter

This comment has been minimized.

Copy link
Contributor Author

@fluffy-critter fluffy-critter commented Oct 30, 2019

Note that making it stateless will require reopening #18

@fluffy-critter

This comment has been minimized.

Copy link
Contributor Author

@fluffy-critter fluffy-critter commented Oct 30, 2019

closed by #45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.