Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update session storage to use Redis backend #137

Merged
merged 17 commits into from
Nov 1, 2024
Merged

Update session storage to use Redis backend #137

merged 17 commits into from
Nov 1, 2024

Conversation

markdboyd
Copy link
Contributor

Changes proposed in this pull request:

Related to https://github.com/cloud-gov/private/issues/2015

We have an issue where sessions are sometimes too large to be stored in a cookie. To work around this issue, we are adding Redis to store session data server-side, which should allow session data of any arbitrary size. The flask-session package has a nice diagram to explain how server-side sessions work:

Flow diagram showing how a Flask server using the flask-session package retrieves session data from backend storage

This PR

  • Adds flask-session package to allow storing session data in backend storage
  • Updates Docker configuration to be more reliable for local testing
  • Adds Redis service to local Docker configuration for testing

Things to check

  • For any logging statements, is there any chance that they could be logging sensitive data?
  • Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

Nothing about the actual security of how the proxy authenticates users is changing, the storage of the session data is just changing from a cookie in the browser to a cookie in the browser that references data stored in a backend. It is theoretically more secure for actual session data to reside in a backend that cannot be intercepted at the browser level.

@markdboyd
remove unused import
4189444
@markdboyd
change session cookie name
4bd236a
@markdboyd
add flask-session package
5082c37
@markdboyd
add config for redis sessions
abe5203
@markdboyd
add initialization of flask-session storage
1130161
@markdboyd
update sample env
4242e11
@markdboyd
add redis for local testing
8424048
@markdboyd
update docker compose to include build arg for base_image
1c2ebca
@markdboyd
update dockerfiles to reference paths in new build context
ff5d4bc
@markdboyd
remove commented config
b9b3010
@markdboyd
add password configuration for redis
77fd17e
@markdboyd
add default value for base_image to address InvalidDefaultArgInFrom w…
7872de0 
…arning
@markdboyd
more updates to docker configuration
73c2603
@markdboyd
refactor docker setup for local dev
bcb0c4a
@markdboyd
update docker network to always use the same IP range
a45fbef
@markdboyd
update README on updating security config
ac5d5ff
@markdboyd
update test proxy manifest to include vars for Redis store
7c426f9
@markdboyd markdboyd requested a review from a team as a code owner October 31, 2024 21:26
@markdboyd markdboyd merged commit 722ec25 into main Nov 1, 2024
1 check passed
@markdboyd markdboyd deleted the update-session-storage-redis branch November 1, 2024 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcgottlieb rcgottlieb rcgottlieb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markdboyd @rcgottlieb