Comments (6)
This appears to extend to the more complete aiohttp demos as well:
https://github.com/aio-libs/aiohttp-demos/blob/master/demos/blog/aiohttpdemo_blog/db_auth.py
from aiohttp-security.
@asvetlov More generally, what is the rationale for this advice? What issues might we face by revealing the user ID or login?
Worth noting that this isn't even revealed when using the session backend with EncryptedCookieStorage
, as the session is encrypted.
from aiohttp-security.
My 2 cents:
If the identity is user login and it is stolen, attackers can login with your login. Since your login usually doesn't change, you don't have a way stop the bad actor.
Using an EncryptedCookieStorage
still has the same risk above. That is, as long as I have your encrypted session, I have your account.
from aiohttp-security.
I feel like if you can access a cookie, you can probably also access the user's login details anyway. Expiry times can also reduce this risk.
If developers want to ensure that a session can be revoked, then it would be a good reason to use something different for the ID. However, revoking a session needs to be an explicit feature that they plan for and implement. The tradeoff is that you now also need a DB call to validate the session on every request.
So, I still feel that strongly discouraging users from using a user ID isn't providing any benefits. We could expand the documentation to talk about these different strategies and their tradeoffs though. Maybe also link to the Oauth documentation which seems similar here in terms of tradeoffs of token designs: https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
from aiohttp-security.
@yanxurui the stolen login does not allow the attacker to login, they'd need a session id or a login password.
User id's are generally not considered secrets. They show up in server logs (so activities can be tracked to users), in forum posts (to allow other users to recognize postings made by the same user), in helpdesk tickets (so helpdesk persons can look up what happened).
It's the passwords, the additional factors in 2FA, the session ids which are considered secrets.
from aiohttp-security.
Hi @toolforger , yes your are correct that there is no risk if the login itself is leaked. However, it's a concern when the the login is used as the "identity" in this module.
from aiohttp-security.
Related Issues (20)
- Why is the "latest" release on github version 0.2.0? HOT 1
- Extend permission-checking methods to return additional information HOT 2
- Non-SA MySQL Example (Inside) HOT 4
- Permission lists - Restrict route to multiple permission levels.
- Why has_permission decorator is being deprecated ? HOT 1
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- remember() not working HOT 4
- Why is identity forced to be string? HOT 5
- Question: Timeouts with remember() HOT 2
- cannot import name 'create_pool' from 'aioredis' HOT 1
- Should SessionIdentityPolicy.remember call new_session instead of get_session?
- Do you need help? HOT 2
- Redis upgrade
- SQLAlchemy upgrade
- Should identity be changed? HOT 1
- "Basic" terminology is misleading HOT 2
- Replace API functions
- Let's put `aiohttp-debugtoolbar` under the `aio-libs` org on PyPI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp-security.