session key always the same

[motmotbot]

While reviewing flaskserver.py and server.py, I noticed that the session is identified by the server's public key, which never changes. Shouldn't each client have a separate session?

I'd like to use this code for a project I'm working on and would be happy to contribute back a proposed fix (if I'm not just misunderstanding the code).

[JamieDriver]

Hi,
The session should be identified by an ephemeral server key, not only different for each client, but different each time the client connects - unique/newly-generated for each/every connection.
The server creates a new key pair, and signs the public key with its "static" key (which never changes). This is so that the clients can be sure they are connecting to your "genuine" pinserver instance.
ie.

• install pinserver
• generate your own new server 'static' key
• run pinserver

In your client's code, h/code the server static pubkey - sessions with your pinserver will always use a new (per-session) ephemeral server key (the client should also use a new ephemeral session key for each connection, but also have a static 'identifying' key). So the session data will be encrypted using the ephemeral key, but the client and server can still authenticate each other by signatures/static-pubkeys.