Marco Squarcina

icon indicating a website link https://minimalblue.com

icon company TU Wien icon location Vienna, AT

Results 4 comments of Marco Squarcina

don't look at the `X-Forwarded-For` header

Absolutely agree with this one. I also noticed it 2 days ago while checking the code base of Flask-Login for https://github.com/maxcountryman/flask-login/pull/677 and wanted to report it. Reading the IP address...

Clear the session data on login by default. Added support for an allow-list of session keys to preserve.

Hi @davidism, thanks for processing the PR. From a security standpoint doing a `session.clear()` would certainly get the job done. However, this change would also delete all session keys populated...

Clear the session data on login by default. Added support for an allow-list of session keys to preserve.

Alright then, totally fine with that! Shall I change the current PR to perform a simple `session.clear()`?

[rfc6265bis] nameless cookies, client/server inconsistencies

Hi and thanks for the reply! I realized another (more severe) security implication. To avoid disclosing the issue publicly, I filed 2 identical reports to Firefox (#1783982) and Chrome (#1351601)....