improving cookie security #11
Conversation
|
Hi @daghan Thanks, this is a good idea. But have you tried it yet? It doesn't work. The reason is that by default, Flask doesn't run over SSL, so the As for HTTP only, I'm not sure we want to exclude the use of JavaScript front end frameworks for folks adapting this project, so I'm not sold on that either. But, If you adapted the PR to just set the samesite setting, I'd be happy to accept it. |
|
Hi @mikeckennedy , Thanks for looking into this. I will update the PR with the Even with a JS front-end like React, there should be really no need for the JS code to read the contents of an auth cookie. The browser will use and send the cookie back to the server for authentication. It just won't let the cookie be readable by the JS scripts running on the browser. Do you see a use-case where a React or Vue script needing to read the contents of than auth cookie? And if so, do you think that case outweighing the benefits of securing the auth cookie? Let me know what you decide. By the way, in thinking about your question and formulating a response, these links were helpful to me: |
|
Oh, thanks for clearing up my misunderstanding. Yes, we want |
…but relaxing secure param, since the app has to run on http
|
I went ahead and updated the PR. I relaxed the |
|
Perfect! Thanks for the PR and for teaching me something. You might notice a slight change in the cookies at https://training.talkpython.fm/ ;) |
|
My pleasure. This email is the reason I joined r2c <https://r2c.dev/>.
Our mission is literally:
[image: image.png]
…On Tue, Jan 7, 2020 at 4:40 PM Michael Kennedy ***@***.***> wrote:
Perfect! Thanks for the PR and for teaching me something. You might notice
a slight change in the cookies at https://training.talkpython.fm/ ;)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11?email_source=notifications&email_token=AADJ6KI6AJJVWGV3PNMRAJ3Q4UOJTA5CNFSM4KBUKXT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIKZCAI#issuecomment-571838721>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADJ6KLDDYH7PQZO4YSIZKDQ4UOJTANCNFSM4KBUKXTQ>
.
--
Daghan.
|
Hi Michael,
We have a free program analysis tool for Python based web projects, called Bento. While we were scanning GitHub projects for issues, it triggered a warning for cookie security best practices for your app.
The cookie based authentication may be susceptible to XSS attacks (https://techblog.topdesk.com/security/cookie-security/). Flask recommendation is to set the
secure,httponlyandsamesiteparameters (https://flask.palletsprojects.com/en/1.1.x/security/#set-cookie-options). Hopefully you'll find this PR useful.Bento found some additional issues related to the use of "bare excepts", and unsafe XML parser usage "xml.etree.ElementTree.fromstring" among other things. But I didn't include them to keep this PR simple. In case you are curious, you can take a look at them using bento (download it from https://bento.dev)