New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using global writable store for session is insecure and leads to session data leak #2

Open

liborvanek opened this issue Oct 2, 2022 · 1 comment · May be fixed by #4

liborvanek commented Oct 2, 2022

If a store is created in SSR, it will end up being a global store shared by all users.
The issue is discussed here: sveltejs/kit#4339
Docs mention it, but only ambiguously: https://kit.svelte.dev/docs/load#shared-state

How to reproduce

Add a new page /leak/+page.svelte:

<script lang="ts">
	import { session } from "$lib/stores/session";
	$: console.log($session);
</script>

{JSON.stringify($session)}

if another user is logged, the $session store leaks the data on SSR request

How to fix

temporary solution is to wrap the store using Svelte's context API as suggested in Sharing a global variable across multiple requests is unsafe in SSR sveltejs/kit#4339 (comment)

See also

[feat] helper for creating stores sveltejs/kit#7105

The text was updated successfully, but these errors were encountered:

Owner

danawoodman commented Oct 2, 2022

Yeah, this approach isn't ideal. I have a re-write that is using lucia-sveltekit but I just haven't had the time to update. I will try and get that updated this week so we don't have this in the example, though a PR is welcome in the meantime. Thanks!

liborvanek linked a pull request

that will close this issue

Wrap the session store using Svelte's context API #4

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment