_Session class security

Hi, I see the _Session class by default has CLP with read, write and add field enabled for Public, and also ACL as “Public Read + Write”.

I think this is not quite safe in pruduction, what could be a good setting for a more secure production environment, and how I could set it?


Hi @mgerar the _Session class is not managed in the same way as other classes by Parse Server.

You can see a public configuration, public read and write. But it’s not the case.

Only connected user can query the Session. Each session is always protected by ACL with the user. So a user can only query his own sessions.
A user can create a new session but only for itself and he can’t set the session token ( but he can set some additional fields if you added some additional fields on the session class)

The default configuration is safe, the parse dashboard could lead to a misunderstanding :slight_smile:


You can disable all permissions for a class. And then write all your functions in the cloud code where it would have access to the master key. When calling a method instruct it to use the master key like so .find({useMasterKey: true}) .save(null, { useMasterKey: true}) and it will override the class protection.

And then you can invoke your cloud code from frontend using helper functions.

This way you can be sure that no one can do to your schema anything other that what’s been defined by your cloud function.

1 Like