Thank you! On Fri, Jun 7, 2019, 12:32 PM Anthony <abasta...@gmail.com> wrote:
> Users can neither read nor write to the session (even cookie based > sessions, which are encrypted), so it is "safe" in that regard. Of course, > we don't know what your app code is writing to the session -- if you take > user input and write it to the session, then it may not be safe. > > Anthony > > On Thursday, June 6, 2019 at 10:11:19 PM UTC-4, Vlad wrote: >> >> I don't really understand how it works internally, so wondering if it's >> safe to rely on a value stored as a session storage variable. >> More specifically, I am authorizing one user to do certain actions on >> behalf of another user, and the currently assumed user is stored in >> session.user (even if auth.user_id is somebody else). >> If somebody can hack session and change the value of session.user - it >> would be potentially dangerous situation, so if it's not safe - I would >> have to figure out something else.It's just easy and tempting to use some >> variables in a session. >> Any ideas on how safe it is? >> >> p.s. I don't care if somebody can read it - my only concern is that they >> shouldn't be able to overwrite it, because this would give them authority >> to perform certain actions. >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/bE9rZb_MHkI/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/dcdff220-c9dd-4273-9b4f-028fe56b0489%40googlegroups.com > <https://groups.google.com/d/msgid/web2py/dcdff220-c9dd-4273-9b4f-028fe56b0489%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CABZ%2BKCD7sUnrTH7WGVPco3ctD_ZmywCmjfPb9Cjcdzxruc1bRg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
