|
|
|
|
|
|
by programd
4088 days ago
|
|
|
In case you missed it, people posting the incorrectly initialized session code to GitHub have inadvertently revealed their default session secrets. The G2B2 source has a list of the 40 "secret" session encoding strings steakejjs managed to find. He uses it to shortcut the decoding process. My favorites have to be "", and the ever popular "secret123". This is a security failure of similar type, though not severity, as embedding your AWS credentials in code on GitHub. The developer is the weakest link in this case, but I have to wonder if the API design of Gorilla Sessions does not bear part of the blame. Should you even allow the developer to not correctly encrypt their sessions by default? |
|
|