[Ur] Securing sessions in Ur/Web

[Simon Van Casteren]

Hey,

I've been thinking about this the better part of the day, but I can't
figure out the right approach here.

When a person logs in, username-password style, I make a cookie with this
form:

{ Role: <ADT, admin or not basically>
, Email: string
, CreatedOn: time}

I'm saving the role in the cookie, so subsequent security checks in the
page generators and rpc functions don't need to hit the database. Some of
my pages query multiple functions that do this check, so that's why I
thought to keep it out of the database.

Now, I'm not a security expert, but as far as I could figure out from my
research, this should be safe as Ur/Web takes care of bot XSS and XSRF
problems. Only somebody forging the cookie from scratch could cause a
problem. So I decided to add a Signature field to the above cookie that
contains the HMAC-SHA256 digest of the 3 above fields. I have a few
problems/questions about this.

1. Is this safe? Is this a good solution? Or am I better off abandoning the
whole thing and going back to putting just a SessionId inside a cookie and
going to the database with that SessionId to check for authorization? Or
another solution that I'm not thinking of at the moment?

2. A problem I'm having is storing the key that is needed to run the
digest. My plan was to pass it via an environment variable to my program,
but getenv inside a page generator causes the compiler to complain, saying
that it could cause side-effects... Anybody have any ideas how to handle
this? I feel like putting my key in plain text inside my source code is not
very good, but maybe I'm wrong about that?

Any help much appreciated!

Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20190118/858e8ec1/attachment.html>