Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use session tokens in the auth header #3458

Closed
havocp opened this issue Dec 30, 2015 · 4 comments
Closed

Use session tokens in the auth header #3458

havocp opened this issue Dec 30, 2015 · 4 comments

Comments

@havocp
Copy link
Contributor

havocp commented Dec 30, 2015

Right now we put the session ID in the URL, which means that if someone shares the URL they are leaking their access (in a scenario where session IDs are handed out only after authentication). This may be undesirable and could be fixed by allowing the session ID to be set in a cookie instead.

@havocp havocp added this to the 0.12 milestone Dec 30, 2015
@damianavila damianavila modified the milestones: short-term, 0.12 Feb 5, 2016
@bryevdv bryevdv modified the milestones: 0.12.5, short-term Dec 21, 2016
@bryevdv bryevdv modified the milestones: 0.12.6, 0.12.5, short-term Mar 16, 2017
@bryevdv bryevdv modified the milestones: short-term, 0.12.x Mar 16, 2018
@bryevdv bryevdv modified the milestones: 0.13.x, short-term Sep 11, 2018
@bryevdv bryevdv modified the milestones: short-term, 1.4 Jul 16, 2019
@bryevdv bryevdv changed the title Allow bokeh-session-id to be in a cookie Allow bokeh-session-id to be in a header Sep 22, 2019
@bryevdv
Copy link
Member

bryevdv commented Sep 22, 2019

Pushing this off again, but leaving some comments:

  • I think this should actually be a Bearer token in the auth header, not a cookie
  • I think we should use standard JWT tokens instead of rolling our own solution

I think also we might want to decouple the session id notion from the token. Currently the session id essentially is the token when it is signed, but I am not sure it makes sense for that to be the case. Maybe it's fine, but if not changing something like that is a 2.0 tasks.

@p-himik
Copy link
Contributor

p-himik commented Sep 22, 2019

@bryevdv I assume the bearer token has to be stored securely, right? If so, it should probably be placed in a cookie and not in a regular header since cookies are designed to be much more secure.
Why do you think putting it in a header is better?

@bryevdv
Copy link
Member

bryevdv commented Sep 22, 2019

@p-himik since the other issue is somewhat related, let's keep on discussion on the other issue just for simplicity

@bryevdv bryevdv changed the title Allow bokeh-session-id to be in a header Use session tokens in the auth header Oct 11, 2019
@bryevdv
Copy link
Member

bryevdv commented Feb 14, 2020

This was closed by #9536

@bryevdv bryevdv closed this as completed Feb 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants