Session persistence
Closed this issue · 1 comments
Hi,
I would like to ask: what would be the security implications of using the default cookie-based Flask's session handling with this package? Should I additionally use something like Flask-Session for having server-side sessions when using Flask-pyoidc?
Thank you in advance.
Currently the access tokens, which is a security credential that should be kept secret by the application, is stored in the Flask session. If it gets in the wrong hands it could be used to impersonate your application and maliciously perform actions on behalf of the user.
Since for example this blog post points out the issue with the default cookie-based session implementation in Flask, using something like Flask-Session would definitely be a good idea to improve your application's security. 👍