jester
jester copied to clipboard
dom96
Add support for sessions
This would be a real shot in the arm for jester and make it a much better web framework. As far as I can tell, jester doesn't have support right now for something like sessions, such as PHP has: http://php.net/manual/en/session.examples.basic.php
Right now it looks like an interger/id field could be added in the Request object, and then sent to the user via the cookies. There would probably need to be a table or something to record sessions.
The reason why this is important to add is so jester could have support for something like CSRF tokens.
This should be implemented in a separate library IMO. I think @FedericoCeratto has created one already.
Federico's Project: https://github.com/FedericoCeratto/nim-httpauth It looks very powerful but has an external dependency on libsodium.
Here are example implementations for python web frameworks flask and hug. https://github.com/pallets/flask/blob/master/flask/sessions.py https://github.com/timothycrosley/hug/blob/master/hug/middleware.py#L27
I think it would be very handy to have this builtin for jester.
Session management could exist in a small dedicated library, as done in other languages. However, encryption and signature is required for cookie-based. Is the dependency on libsodium going to be a problem?
@dom96 sessions are in scope for micro frameworks in other languages, i don't think it's unreasonable to add to jester.
Because every web project needs it and jester doesn't seem to give me much. I don't need fancy URL dispatching, I can do that easily enough on my own. Session management would add some real value. But note that I only know jester from its usage in nimforum.
@dom96 awesome. please do, I'm in need of this now. In the meantime I'll take a look at @FedericoCeratto 's lib (I don't mind dependencies)
@dom96 sorry if I missed progress on this. Has session support been implemented in jester? If not, are there plans?
Authentication requires password hashing and session can require signing. Relying on a well known cryptographic library is the safe alternative to homemade crypto.
I'm now working on adding sessions to my app. So we have setCookie(). What is the best practice for facilitating a session? My first thought is to keep a hash or random string in memory or in a backend that matches what's in the cookie. "Session can require signing:" To what end? This means I sign the cookie contents with a private key and include the signature in the cookie so later I can verify it server-side?
HttpOnly Flag HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.
Here we go: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
I started something here: https://github.com/TensorTom/sqlsessions.nim
Will probably have a working version in a few days. I'm using sql as a backend since holding sessions state in memory sounds tedious and probably bad.