Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, deshani, dill0wn, and 10 others

#8526 improve session cookie handling NEEDS CONFIG CHANGES

Milestone: unreleased

Status: closed

Owner: Dave Brondsema

Labels: security (34)

Component: General

Reviewer: nobody

Updated: 2023-11-27

Created: 2023-11-15

Creator: Dave Brondsema

Private: No

Main thing is to move away from pickle, but we can also implement stronger keys, support key rotation, etc.

Discussion

Dave Brondsema - 2023-11-15

summary: improve session cookie handling --> improve session cookie handling NEEDS CONFIG CHANGES
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2023-11-15

for deployment/changelog:

add session.jwt_secret_keys to .ini file, with a value python -c 'import secrets; print(secrets.token_hex());'

session.type = cookie is no longer used

optionally session.read_original_format = true and rename session.validate_key to session.original_format_validate_key for backwards compatibility. Remove after a transition period

optionally session.write_original_format = true if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2023-11-16

status: in-progress --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dillon Walls - 2023-11-27

status: review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.