-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
securecookie: v2 #43
Comments
WIP branch here: https://github.com/gorilla/securecookie/tree/elithrar/v2 Next up:
Future:
|
I was just gonna post and ask about SameSite attribute. Thanks for beating me to it! ;) |
Update: still a WIP. I'm waiting for Go's "dep" tool to land so I can version the library more cleanly. |
Any progress? |
dep hasn't landed in the Go toolchain yet, so nothing yet. There is an
(old) WIP branch - https://github.com/gorilla/securecookie/tree/elithrar/v2
- but unlikely to commit significant time until dep lands.
Is there a specific need that v2 would address for you?
…On Thu, Oct 26, 2017 at 1:38 PM Bruno Bigras ***@***.***> wrote:
Any progress?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABIcPQQ3Ji3iDWbImBEs6eE1ZQ7xSkzks5swO3bgaJpZM4LwqsY>
.
|
Oh sorry. I saw "dep is safe for production use" on https://github.com/golang/dep and I assumed it landed.
I have been looking forward to use |
We can probably look to add SameSite to the current version (I'll also
accept a PR!)
…On Thu, Oct 26, 2017 at 2:38 PM Bruno Bigras ***@***.***> wrote:
dep hasn't landed in the Go toolchain yet
Oh sorry. I saw "dep is safe for production use" on
https://github.com/golang/dep and I assumed it landed.
Is there a specific need that v2 would address for you?
I have been looking forward to use SameSite since support was added for
it in Chrome. I'm not aware of the other changes.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABIcAsW4WiOxPEBRi74W_0QbW3rrdKzks5swPvkgaJpZM4LwqsY>
.
|
I don't see how a cookie attribute like SameSite would apply to this when its only concerned with the value. |
Any update on this and how can I help in the WIP branch? |
There's no priority on this right now. Is there a particular need that would be fulfilled by v2? @srikrsna |
This would lead to sessions v2 @elithrar |
@srikrsna Sure, but what do you need out of sessions v2? What about sessions v1 doesn't fit your use-case? (be precise, it helps us understand what users are after!) |
Proposed, simplified API: type SecureCookie struct {
// fields
}
// No need to provide two keys: we authenticate by default, or use an AEAD construct for encryption.
func New(key []byte, options *Options) (*SecureCookie, error) { }
// TBD as to whether we make these methods, but I prefer simple struct members where possible
type Options struct {
// No need to keep *Multi methods: if len(opts.RotatedKeys) > 0 then we can attempt those
RotatedKeys [][]byte
// Not enabled by default. Authenticated cookies are, however.
Encrypt bool
MaxAge int
MaxLength int
Serializer Serializer
}
// Remains as-is
type Serializer interface {
Serialize(src interface{}) ([]byte, error)
Deserialize(src []byte, dst interface{}) error
}
// Encode & Decode use the serializer defined by Options.Serializer
func (sc *SecureCookie) Encode(name string, val {}interface) (string, error) { }
func (sc *SecureCookie) Decode(name string, val string, dest interface{}) error { } This gets us to a dramatically simpler API.
I was considering how we could re-purpose |
@elithrar Apologies for not being clear. The requirement is the new Context with sessions v2. Last I checked there is leak due to the shallow copying involved and I am using the new context. |
@srikrsna - if you have a leak, please file an issue in sessions. You don’t need v2 to avoid that. |
@elithrar there's one already gorilla/sessions#122 |
Some drive-by thoughts:
|
I have an updated v2 branch here: https://github.com/gorilla/securecookie/tree/elithrar/v2 Following up on @balasanjay's comments:
|
Note: I still have work to do around:
|
Thinking further on how we do key rotation: there's the likelihood that users would want to change Options as they change keys. Thus, the |
Hi @elithrar , just a note -- though you are likely already aware -- |
How's sameSite coming along? |
I'm not seeing the same message under Chrome, but I typically use Firefox and when using securecookie without the SameSite option many error messages are triggered that clogs up the Console... For every cookie you'll get:
So if you're using several cookies, you'll get a lot of these warnings... Would be nice to support the SameSite tag so these warnings can be bypassed. For development, we probably want to use |
Hello maintainers, I'm trying to work on v2 and I'd like to know what key rotation interface you envision? |
Since I haven't received any response, I created a new package, please go to: https://github.com/go-rat/securecookie and https://github.com/go-rat/sessions |
Preface: we're thinking about what a gorilla/sessions v2 would look like. This naturally extends to securecookie, which provides a lot of the underlying implementation.
Key areas for improvement in v2:
nacl/secretbox
). This is an AEAD construct that provides encryption+authentication together, securely.The text was updated successfully, but these errors were encountered: