I am new to Tornado, the python framework. I came across that, It does not support session and authentication is done using secure cookies.
But how secure really it is?
I did this simple thing to test it. I logged in to the application, Exported the cookies using EditThisCookie and then I logged out. After that, I simply imported the cookie and now I am logged into the application.
I tried this with 2 applications that claim to have done using tornado and got same result on both the occasions.
Is this something expected? Or is there a better way to secure the tornado applications?
I tried with an example from the tornado website and found the same issue
That's expected behavior. The secure cookie is a token the browser keeps to prove it's logged in. If you move the cookie from the browser to your hard drive, then reimport it to the browser, the browser can once again prove to the Tornado application that it's logged in.