Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Those evals() are valid only if user is authenticated, if there is no authentication then no eval() will be performed on the cookies.


True, but just because you trust someone to access the dashboard doesn't mean you trust them to execute code on your server. There are other things to consider as well, like MITM attacks, and that an XSS hole would let the attacker set their own cookies.

The data in the cookies is just JSON, right? If json.loads() would work here you should switch to that instead.


Good point there, i'll look into limiting the eval().

I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: