A Tale of Two Sessions

Alan Braithwaite

@Caust1c

Segment

What is a session?

A web session is a sequence of network HTTP request and response transactions associated to the same user.

How do they work?

Server Side Stateful Session

Encrypted Cookie Session

Threat Model Comparison

Encrypted cookies are more secure because they're encrypted

Encrypted cookies are more secure because they're encrypted

An attacker stealing an encrypted cookie still allows them to impersonate a user.

Side note: Always use TLS/HTTPS!

Threat Model Comparison

Secrets Management

Serverside

Encrypted Cookie

None
Databases firewalled

Ultra-secret key
If compromised, attacker can impersonate any user

Threat Model Comparison

Revocation

Serverside

Encrypted Cookie

Delete key in database

???
Choose your own adventure


Will likely end up implementing server-side verification for every request

Encrypted Cookies Benefits

Server to server, request scoped Authentication

Federated Authentication with JWT

"Lazy" authentication as redundant backup

Jeff

A tool for managing Sessions

Jeff

A tool for managing Sessions

// ... auth.go

func (s Server) Login(w http.ResponseWriter, r *http.Request) {
    user = Authenticate(r)
    if user == nil {
        // not authorized
    }
    // Key must be unique to one user amongst all users
    err := s.jeff.Set(r.Context(), w, user.Email)
    // handle error ... finish login
}

// ... main.go

    smgr := jeff.New(store, jeff.Redirect(
        http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            http.Redirect(w, r, "/login", http.StatusFound)
        })))

    mux.HandleFunc("/login", http.HandlerFunc(s.Login))
    mux.HandleFunc("/dashboard", smgr.Wrap(dashboardHandler))

Thank you

Alan Braithwiate
Segment
@Caust1c
 

https://github.com/abraithwaite/jeff

https://blog.abraithwaite.net/2018/08/14/two-sessions/

Tale of Two Sessions Lightning

By Alan Braithwaite

Tale of Two Sessions Lightning

  • 885