martian: remove session hijacking
Closed this issue · 2 comments
mmatczuk commented
Martian Session can be hijacked, hijacking means getting and owning the underlying connection.
forwarder/internal/martian/context.go
Line 114 in 7e70f3d
This feature is generally not used. We use it in proxy to implement abortIf. This implementation is problematic because every time client does something "bad" we terminate the connection. In some cases it makes sense ex. wrong basic auth credentials but in other cases it makes more harm than good.
If we removed hijacking
- the proxy code could be streamlined because we would not have to check if session was hijacked every time we ran modifiers
- abortIf could be removed, we would have normal modifiers error handling needs to be fixed in forwarder to return appropriate response for error