skip to Main Content

Scenario: Web app allows users to login to telegram >> ".session" sqlite file is created in server once logged in

Problem: I now have full access to N number of users’ telegram account

Question: Is there a way for me(developer) to have no access to their session file whilst they(browser client) have full access to it during their session?

note: I still need to use their session file to get specific messages when they do a http request to the endpoint(s). but i dont have to see this data, only they have to.

2

Answers


  1. No, the architecture you’re currently using isn’t ideal for secure data storage on your server. Even if you encrypt the session file, it must be decrypted server-side to make Telegram API calls, thereby potentially exposing user data. Storing this data in the user’s browser could be an alternative, but it would prevent you from taking any actions on the user’s behalf unless they are actively logged in. To answer your question better way, you need to clearly specify what your app want to achieve with the Telegram session and based on that, you might come with more secure approach.

    Login or Signup to reply.
  2. Although not explicitly mentioned, the "telethon" tag was added to the question, so I will assume this is the library you intended to use.

    Telethon’s v1 default storage is indeed an SQLite database, but it does not need to be. It’s merely a good default.

    A session primarily exists to persist the authorization key used to encrypt communication with Telegram. Once you login, Telegram remembers that this authorization key is logged-in, and does not need to login in the future until logged out.

    As soon as you have an logged-in authorization key, you have full access to the account. This means it’s never safe for a server to have it at all, if you don’t want to risk all of them being leaked.

    The only choice is to communicate with Telegram exclusively on the client-side.

    Python on the web may be doable, but is probably not the best idea.

    However, there are JavaScript libraries such as gram-js that were inspired by Telethon and may help you out.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search