Document the security of cookie-based session

[notramo]

The documentation mentions that the default session store is cookie-based. However, it's not mentioned what security measures are applied. I guess it's encrypted otherwise the user could tamper with it. However, this should be made clear in the documentation in order to help developers evaluate the security model of the application.

[ellmetha]

Hey! The documentation do mention that session data is persisted in an encrypted cookie by default (but we may be missing mentions of that elsewhere in the doc):

Handlers can interact with a session store, which you can use to store small amounts of data that will be persisted between requests. How much data you can persist in this store depends on the session backend being used. The default backend persists session data using an encrypted cookie. Cookies have a 4K size limit, which is usually sufficient in order to persist things like a user ID and flash messages.

Ultimately everything that is encrypted in Marten leverages Marten::Core::Encryptor, which means that data is encrypted with an aes-256-cbc cipher and signed with HMAC signatures that use the SHA256 hash algorithm.

Edit: added more details in 431fced.

[notramo]

Thanks, this commit makes it much more clear.