Hello
When a user authenticates himself successfully I save the whole User-object in the session like this:
session.set("user", user.unwrap());
This is the User struct:
#[derive(Serialize, Deserialize, Clone)]
pub struct DistributorUser {
id: u64,
username: String,
password: String, // Also password (HASH) will be serialized !!
distributor: Distributor,
display_name: String,
}
But I wonder if this is safe, because the password will also be saved in the cookie. Everything is over HTTPS, but this still feels bad.
Solutions I have thought of to make it save.
- Skip serializing: I could do
#[serde(skip_serializing)]
so the password won't get serialized. But that often gives the error:thread 'actix-rt:worker:0' panicked at 'called `Result::unwrap()` on an `Err` value: Error("missing field `...`", line: 1, column: 366)', ...
So I'm not a fan of this. - Saving ID. I could also only save the ID of the user, and then get the user from the database each time it's needed, but this is time consuming.
- Saving session GUID. I could also save the session GUID in my session and make a database to link a session to a user. But this is too complicated.
What would be the best way to do this? Or is the way I do it already save? Thanks.