You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I used the GitHub search to find a similar question and didn't find it.
I searched the FastAPI documentation, with the integrated search.
I already searched in Google "How to X in FastAPI" and didn't find any information.
I already read and followed all the tutorial in the docs and didn't find an answer.
I already checked if it is not related to FastAPI but to Pydantic.
I already checked if it is not related to FastAPI but to Swagger UI.
I already checked if it is not related to FastAPI but to ReDoc.
Commit to Help
I commit to help with one of those options 👆
Example Code
# no code, see description
Description
The FastAPI documentation has a few tutorials on security, that encourage the use of JWTs for authentication. The use of JWTs as s session mechanism have been discouraged, due to several security issues when they are used in this way. [1][2][3][4][5]
Some problems include:
JWTs that are stored in LocalStorage in the browser can be read by JS
JWTs and information inside them are hard/impractical to revoke
If JWTs are not handled correctly they are prone to forgery
If used simply as tokens stored server side they are inefficient
JWTs should only be used as one-time, short lived instructions between two services, servers, or hosts, not as a session.
HTTPOnly cookie based sessions with session-id lookup can be used instead, and avoid many of these issues. These cookies have traditionally been prone to CSRF attacks, but this is less of a problem these days [6] with the use if strict cookies.
Perhaps the already amazing docs should at least make a mention of these issues? The examples could keep the active sessions alive in memory just to illustrate the point, but mention that an external store is more robust.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
First Check
Commit to Help
Example Code
# no code, see description
Description
The FastAPI documentation has a few tutorials on security, that encourage the use of JWTs for authentication. The use of JWTs as s session mechanism have been discouraged, due to several security issues when they are used in this way. [1][2][3][4][5]
Some problems include:
JWTs should only be used as one-time, short lived instructions between two services, servers, or hosts, not as a session.
HTTPOnly cookie based sessions with session-id lookup can be used instead, and avoid many of these issues. These cookies have traditionally been prone to CSRF attacks, but this is less of a problem these days [6] with the use if strict cookies.
Perhaps the already amazing docs should at least make a mention of these issues? The examples could keep the active sessions alive in memory just to illustrate the point, but mention that an external store is more robust.
[1] - http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
[2] - https://curity.io/resources/learn/jwt-best-practices/
[3] - https://www.youtube.com/watch?v=JdGOb7AxUo0
[4] - https://redis.io/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/
[5] - https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
Operating System
Linux, Windows, macOS, Other
Operating System Details
No response
FastAPI Version
Pydantic Version
Python Version
Additional Context
No response
Beta Was this translation helpful? Give feedback.
All reactions