A Tale of Two Sessions
Alan Braithwaite
@Caust1c
Segment
What is a session?
A web session is a sequence of network HTTP request and response transactions associated to the same user.
How do they work?
Server Side Stateful Session
Encrypted Cookie Session
Threat Model Comparison
Encrypted cookies are more secure because they're encrypted
Encrypted cookies are more secure because they're encrypted
An attacker stealing an encrypted cookie still allows them to impersonate a user.
Side note: Always use TLS/HTTPS!
Threat Model Comparison
Secrets Management
Serverside
Encrypted Cookie
None
Databases firewalled
Ultra-secret key
If compromised, attacker can impersonate any user
Threat Model Comparison
Revocation
Serverside
Encrypted Cookie
Delete key in database
???
Choose your own adventure
Will likely end up implementing server-side verification for every request
Encrypted Cookies Benefits
Server to server, request scoped Authentication
Federated Authentication with JWT
"Lazy" authentication as redundant backup
Jeff
A tool for managing Sessions
Jeff
A tool for managing Sessions
// ... auth.go
func (s Server) Login(w http.ResponseWriter, r *http.Request) {
user = Authenticate(r)
if user == nil {
// not authorized
}
// Key must be unique to one user amongst all users
err := s.jeff.Set(r.Context(), w, user.Email)
// handle error ... finish login
}
// ... main.go
smgr := jeff.New(store, jeff.Redirect(
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, "/login", http.StatusFound)
})))
mux.HandleFunc("/login", http.HandlerFunc(s.Login))
mux.HandleFunc("/dashboard", smgr.Wrap(dashboardHandler))Thank you
Alan Braithwiate
Segment
@Caust1c
https://github.com/abraithwaite/jeff
https://blog.abraithwaite.net/2018/08/14/two-sessions/
Tale of Two Sessions Lightning
By Alan Braithwaite
