Merge #1783
1783: Switch to server-side sessions r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? It simplifies session management. - it ensures that sessions will eventually expire (*) - it implements some mitigation against session-fixation attacks - it switches from client-side to server-side sessions (in Redis) It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>master
commit
25e8910b89
@ -0,0 +1 @@
|
||||
Switch from client side sessions (cookies) to server-side sessions (Redis). This simplies the security model a lot and allows for an easier recovery should a cookie ever land in the hands of an attacker.
|
Loading…
Reference in New Issue