Skip to content

Security: replace non-empty session cookie auth with server-side sessions #18

Description

@joeblack2k

Problem

AUTH_MODE=enabled currently treats any non-empty session cookie as authenticated. That preserves the existing login handler behavior, but it is not a real server-side session model.

Desired outcome

Implement a server-side session store backed by persisted security state or another explicit session backend.

Acceptance criteria

  • Login creates an opaque session ID with server-side state.
  • Middleware validates the session against that store instead of accepting any non-empty cookie.
  • Logout invalidates the session.
  • Expiry/rotation behavior is documented and tested.
  • Existing helper app-password authentication continues to work independently.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions