koajs/session

Save session in memory instead of cookies by default for security?

Bin-Huang opened this issue · 2 comments

Thank you for koa and koa-session, and I want to express some concerns.

By reading source code, I am not sure now that koa-session's default behavior is safe enough. When init without an extranal store, the session will just stored in the cookies with a very simple base64 encoding, which shared to brower.

It is easy to hack by decode cookies then modify the session. For example, if session storing userId (common practices
), hackers can easily impersonate other user to do some dangerous actions by reset userId in cookies.

Although koa-session with a special emphasis on cookie-based session implement in README, support more secure extranal store, its default behavior is not safe enough, especially for beginer. There are more and more people start to use koa and koa-session(see weekly downloads in npm), and I don't think it's a good idea to keep storing session in cookies.

Maybe storing session in memory by default is a good option for koa-session, just like express-session. It is more secure and easier to use. Of course, there are some new challenges: expire, memory overflow... But it is still an option worth considering.

no, save session in memory is always a bad idea because you can't scale it with cluster. koa's cookie is signed by default, so people can't modified session from client side. koa-session support external session store so you can easy migrate your session to anywhere you want to save.

no, save session in memory is always a bad idea because you can't scale it with cluster. koa's cookie is signed by default, so people can't modified session from client side. koa-session support external session store so you can easy migrate your session to anywhere you want to save.

I understand now and thanks