Full Web Apps with FastAPI Transcripts
Chapter: Users and HTML forms
Lecture: User sessions via cookies, safer version
0:00 Let's have a look at our cookie_auth one more time.
0:02 So this looked great, right?
0:04 We saw that we're storing our account
0:06 id in the cookie. And if we submit that cookie,
0:09 then everything's golden. What happens if we were to try to play with that?
0:13 What if we were to go find the cookie on our disk?
0:16 Or we were to do some sort of POST where we set a cookie?
0:19 We noticed well, if it was 1,
0:21 what if it were 2? what if it were 100? Could we be other users?
0:24 How about that? That'd be cool. In general,
0:26 more broadly, the problem is,
0:27 what if people tamper with the cookie?
0:30 What if they make changes to the cookie?
0:33 How do we know? we wouldn't know. I mean, as long as it was
0:35 valid data, it's a valid user,
0:37 it'll look like that user logged in.
0:38 So what I'm gonna do is drop something in there that takes the data and then
0:42 creates a hash of the data.
0:44 When we get it back, we'll be able to say,
0:46 here's what they gave us. Here's what it should look like if we were to
0:50 scramble it up, do they match?
0:52 Right, so we're going to store both, the value and the scrambled version,
0:56 which they won't know how to recreate because of the way we've generated it.
1:00 And that'll give us a tamper proof digest type of thing.
1:03 So I'm going to just drop that in here, and now we've got a slightly more complicated
1:07 version. So let me just walk you through.
1:09 It's basically the same thing. So when we get a user_id
1:12 passed over, instead of just sticking the user_id
1:15 directly, we're going to hash this user_id
1:18 in a certain way
1:19 that's hard to recreate and put the user_id here.
1:22 So if somebody gets hold of the cookie,
1:23 they see the number one and some giant scrambled thing.
1:27 That way they'll not be able to look at it and say,
1:29 Oh, I can just tweak this because if they tweak it,
1:32 they'll have to adjust the hash,
1:33 the match to be the same.
1:35 So we're gonna create a sort of a combo here,
1:38 and then when we get the cookie,
1:39 we're gonna pull it apart and we're gonna check two things,
1:41 give us the value and the hash value,
1:43 and do those match as we would expect?
1:47 They don't, we get nope,
1:48 there's no user here. Otherwise we're gonna convert it to an integer.
1:51 OK, To hash it, what we're gonna do is a simple sha512,
1:55 but we're also going to apply some salt at the beginning and the end.
1:59 So instead of just hashing the number two,
2:01 we're gonna hash "salty__",
2:03 two underscore, "__text".
2:05 Looking at the value, you would never know that
2:07 that's what you need to hash.
2:08 So it provides a small level of safety,
2:10 not huge, but it does help us here.
2:13 OK, So what we're gonna do is we're gonna try this again.
2:16 I'll that "pypi_account".
2:21 All right. So make sure I named everything correctly.
2:25 No, I didn't. Let's see,
2:28 there we go. That's what I dropped in there had the name of and then
2:31 over in account. Looks like this is working,
2:33 so let's run it. We should not be logged in when we first get there.
2:37 We're not, go register. Takes five a's and an up arrow and we should
2:44 be able to register. Off it goes, perfect.
2:48 Now we're logged in, and let's look at the thing we exchanged this time around
2:51 Network, HTTP, go anywhere and we should be able to see our cookies getting sent back.
2:56 Here we go, now check that out.
2:59 We got the "1:" and then that huge blob of stuff,
3:03 Right? That is the verification
3:05 that if we were to try to change that,
3:06 which guess what? Go ahead and make changes
3:09 to it. If we want, we're not gonna be able to change it,
3:11 right? If we put a 2 there,
3:12 we would have to know what that huge thing on the end that corresponds to the new
3:16 hash. So it'll make it much more tamper proof.
3:20 And that way people won't be able to go randomly,
3:22 change stuff around and cause problems with our site.