Securing Metabase application

Metabase currently uses cookies to authenticate api , how safe is it when dealing with sensitive information? is it secured or how can we ensure it is data protected from unauthorised users?

Hi @NaveenHadagali
If you want to use sessions instead, then you can change it with MB_SESSION_COOKIES=true
Why do you think it is a security problem? Most major systems supports cookies. Usually only banks and similar systems uses very strict sessions.

Hi Flamber, thanks for pointing to MB_Session_Cookies variable. Reason why i was looking at this was , we were able to do cookie injunction and hijack the session of another user during our security test. So wanted to check if we can avoid the cookies.

Correct, you can do that with any system that uses cookies - you can also do that with sessions.
That’s why https is the recommended way of communicating securely.