We use Redis to get the user for a request. Pretty sure I'm to blame for this code:
https://github.com/WhiteHatCP/wrath-ctf-framework/blob/49724ba89fe9f0f6736c80752c3ddc7b281740cf/ctf/frontend.py#L22-L32
https://github.com/WhiteHatCP/wrath-ctf-framework/blob/49724ba89fe9f0f6736c80752c3ddc7b281740cf/ctf/core.py#L92-L96
We have a signed cookie that contains a key, and look up that key in Redis to get the user id, then look up that user from the db. Why not just... store the user id in the signed cookie?
The one benefit to storing stuff in Redis is that we can revoke specific user sessions at any time. But for this application, that doesn't seem like a useful thing to be able to do.
We use Redis to get the user for a request. Pretty sure I'm to blame for this code:
https://github.com/WhiteHatCP/wrath-ctf-framework/blob/49724ba89fe9f0f6736c80752c3ddc7b281740cf/ctf/frontend.py#L22-L32
https://github.com/WhiteHatCP/wrath-ctf-framework/blob/49724ba89fe9f0f6736c80752c3ddc7b281740cf/ctf/core.py#L92-L96
We have a signed cookie that contains a
key, and look up that key in Redis to get the user id, then look up that user from the db. Why not just... store the user id in the signed cookie?The one benefit to storing stuff in Redis is that we can revoke specific user sessions at any time. But for this application, that doesn't seem like a useful thing to be able to do.