Simple authentication and sessions: signed cookies

My webapp is really small and mostly just for my family use.

Right now I use a small sqlite3 database to keep track of (UUID4) session IDs and expiration. That’s all I need.

I was thinking though that I could store that in the cookie with with an hmac signature and a secret. Obviously anyone could create a cookie with whatever but could never sign it without my secret.

I would either use Python Bottle’s built-in method or write my own based on theirs (they use this to store python pickles and authenticate it but I would just use JSON.

As far as I can tell, it is totally secure as long as (a) my password is secure and (b) I don’t actually care if user’s can see the content of the cookie; I just don’t want them to be able to change it.

Seems like a nice no-backend method to authenitcate.

Thoughts?

submitted by /u/jwink3101
[link] [comments]


Go to Source of this post
Author Of this post: /u/jwink3101
Title Of post: Simple authentication and sessions: signed cookies
Author Link: {authorlink}