docs: add note on using session variables with the unauthenticated role

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/3025 GitOrigin-RevId: 84779736f4cd648a229ba5146af041b56d06cf9a
2024-11-13 09:17:21 +03:00 · 2022-01-03 16:16:38 +05:30 · 2022-01-03 16:16:38 +05:30 · e623121d56
commit e623121d56
parent 265470b08c
1 changed files with 6 additions and 0 deletions
--- a/docs/graphql/core/auth/authentication/unauthenticated-access.rst
+++ b/docs/graphql/core/auth/authentication/unauthenticated-access.rst
@ -28,6 +28,12 @@ not be rejected and instead the request will be made with the configured role.
 This role can then be used to define the permissions for unauthenticated users as described in :ref:`authorization`.
 A guide on setting up unauthenticated user permissions can be found :ref:`here <anonymous_users_example>`.

+.. admonition:: Risk of using session variables
+
+  It is recommended to not use :ref:`session variables <dynamic_session_variables>` in the permissions of an unauthenticated role because
+  the source of the session variables cannot be trusted. As session variables can be passed using request headers, a user can choose to send any
+  values for them and it needs to be ensured that they can't get access to sensitive data just by setting different values for their session variables.
+
 Configuring unauthenticated / public access
 -------------------------------------------