-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use session tokens in the auth header #3458
Comments
Pushing this off again, but leaving some comments:
I think also we might want to decouple the session id notion from the token. Currently the session id essentially is the token when it is signed, but I am not sure it makes sense for that to be the case. Maybe it's fine, but if not changing something like that is a 2.0 tasks. |
@bryevdv I assume the bearer token has to be stored securely, right? If so, it should probably be placed in a cookie and not in a regular header since cookies are designed to be much more secure. |
@p-himik since the other issue is somewhat related, let's keep on discussion on the other issue just for simplicity |
This was closed by #9536 |
Right now we put the session ID in the URL, which means that if someone shares the URL they are leaking their access (in a scenario where session IDs are handed out only after authentication). This may be undesirable and could be fixed by allowing the session ID to be set in a cookie instead.
The text was updated successfully, but these errors were encountered: