Securing Metabase application

#1

Metabase currently uses cookies to authenticate api , how safe is it when dealing with sensitive information? is it secured or how can we ensure it is data protected from unauthorised users?

#2

Hi @NaveenHadagali
If you want to use sessions instead, then you can change it with MB_SESSION_COOKIES=true
Why do you think it is a security problem? Most major systems supports cookies. Usually only banks and similar systems uses very strict sessions.

#3

Hi Flamber, thanks for pointing to MB_Session_Cookies variable. Reason why i was looking at this was , we were able to do cookie injunction and hijack the session of another user during our security test. So wanted to check if we can avoid the cookies.

#4

@NaveenHadagali
Correct, you can do that with any system that uses cookies - you can also do that with sessions.
That’s why https is the recommended way of communicating securely.