supervisor-frontend-service icon indicating copy to clipboard operation
supervisor-frontend-service copied to clipboard
verified publisher icon gridhead

Cloaking session secret for Flask

Open gridhead opened this issue 4 years ago • 2 comments

Cloaking session secret for Flask

Fixes #82.

Signed-off-by: Akashdeep Dhar [email protected]

gridhead avatar Apr 12 '21 03:04 gridhead

This is still not safe. There needs to be a start script implemented to check if there are .env variables existing in the path or not, and if not so, they would create one and store the session secret on the first start. Subsequent uses would keep checking for the .env file and load up the session secret from it.

gridhead avatar Apr 12 '21 03:04 gridhead

With changes made via https://github.com/t0xic0der/supervisor-frontend-service/pull/87/commits/7ca55d08400475ed436497fad32a661f822f417a and https://github.com/t0xic0der/supervisor-frontend-service/pull/87/commits/5b6a0c448c1725037f0c456f5e9c8b40c7d3f261, session secrets are randomly generated in the first-time execution and then reused thereafter. From a security standpoint, the presence of the sesskeys environment variable is first checked and if it is not found, only then are the new session secrets generated.

Generation of new session secrets would mean that the older existing sessions which made use of the previous session secret would no longer be valid. This is not a very big deal as the user would be shown the following 403 Forbidden page - from where they can head over to the login page and log back in with the same credentials.

image

Do note that the session secrets are not regenerated on every execution as once a valid .env is found, the server would try to make use of that. Session secrets can be explicitly regenerated if there is a suspicion of session data being compromised by deleting the .env file inside the container (if using the Docker image) or from the install location (if using the COPR) and restarting the server. Once the server starts, it would not find a valid .env file as a result of the deletion and hence, regenerate a new one and store it.

The following is the prompt when the session secrets are not found and hence, generated and stored.

 * Setting up the session secret into environment variables...
 * SuperVisor Frontend Service v1.2.1-beta
 * Port number    : 9696
 * IP version     : 4
 * Logs state     : Errors only
 * Serving Flask app "main" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://0.0.0.0:9696/ (Press CTRL+C to quit)

The following is the prompt when the session secrets are found and hence, reused.

 * Loading up the session secret from environment variables...
 * SuperVisor Frontend Service v1.2.1-beta
 * Port number    : 9696
 * IP version     : 4
 * Logs state     : Errors only
 * Serving Flask app "main" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://0.0.0.0:9696/ (Press CTRL+C to quit)

gridhead avatar Apr 25 '21 03:04 gridhead