Full Web Apps with FastAPI Transcripts
Chapter: Users and HTML forms
Lecture: User sessions via cookies, safer version
0:00 Let's have a look at our cookie_auth one more time. So this looked great, right? We saw that we're storing our account
0:07 id in the cookie. And if we submit that cookie, then everything's golden. What happens if we were to try to play with that?
0:14 What if we were to go find the cookie on our disk? Or we were to do some sort of POST where we set a cookie? We noticed well, if it was 1,
0:22 what if it were 2? what if it were 100? Could we be other users? How about that? That'd be cool. In general, more broadly, the problem is,
0:28 what if people tamper with the cookie? What if they make changes to the cookie? How do we know? we wouldn't know. I mean, as long as it was
0:36 valid data, it's a valid user, it'll look like that user logged in. So what I'm gonna do is drop something in there that takes the data and then
0:43 creates a hash of the data. When we get it back, we'll be able to say, here's what they gave us. Here's what it should look like if we were to
0:51 scramble it up, do they match? Right, so we're going to store both, the value and the scrambled version,
0:57 which they won't know how to recreate because of the way we've generated it. And that'll give us a tamper proof digest type of thing.
1:04 So I'm going to just drop that in here, and now we've got a slightly more complicated version. So let me just walk you through.
1:10 It's basically the same thing. So when we get a user_id passed over, instead of just sticking the user_id directly, we're going to hash this user_id
1:19 in a certain way that's hard to recreate and put the user_id here. So if somebody gets hold of the cookie,
1:24 they see the number one and some giant scrambled thing. That way they'll not be able to look at it and say,
1:30 Oh, I can just tweak this because if they tweak it, they'll have to adjust the hash, the match to be the same.
1:36 So we're gonna create a sort of a combo here, and then when we get the cookie, we're gonna pull it apart and we're gonna check two things,
1:42 give us the value and the hash value, and do those match as we would expect? They don't, we get nope,
1:49 there's no user here. Otherwise we're gonna convert it to an integer. OK, To hash it, what we're gonna do is a simple sha512,
1:56 but we're also going to apply some salt at the beginning and the end. So instead of just hashing the number two, we're gonna hash "salty__",
2:04 two underscore, "__text". Looking at the value, you would never know that that's what you need to hash. So it provides a small level of safety,
2:11 not huge, but it does help us here. OK, So what we're gonna do is we're gonna try this again. I'll that "pypi_account".
2:22 All right. So make sure I named everything correctly. No, I didn't. Let's see, get_user_via_auth_cookie,
2:29 there we go. That's what I dropped in there had the name of and then over in account. Looks like this is working,
2:34 so let's run it. We should not be logged in when we first get there. We're not, go register. Takes five a's and an up arrow and we should
2:45 be able to register. Off it goes, perfect. Now we're logged in, and let's look at the thing we exchanged this time around
2:52 Network, HTTP, go anywhere and we should be able to see our cookies getting sent back. Here we go, now check that out.
3:00 We got the "1:" and then that huge blob of stuff, Right? That is the verification that if we were to try to change that,
3:07 which guess what? Go ahead and make changes to it. If we want, we're not gonna be able to change it, right? If we put a 2 there,
3:13 we would have to know what that huge thing on the end that corresponds to the new hash. So it'll make it much more tamper proof.
3:21 And that way people won't be able to go randomly, change stuff around and cause problems with our site.