A Tale of Two Sessions

Alan Braithwaite

@Caust1c

Segment

What is a session?

A web session is a sequence of network HTTP request and response transactions associated to the same user.

How do they work?

Server Side Stateful Session

Encrypted Cookie Session

Threat Model Comparison

Encrypted cookies are more secure because they're encrypted

~~Encrypted cookies are more secure because they're encrypted~~

An attacker stealing an encrypted cookie still allows them to impersonate a user.

Side note: Always use TLS/HTTPS!

Threat Model Comparison

Secrets Management

Serverside

Encrypted Cookie

None
Databases firewalled

Ultra-secret key
If compromised, attacker can impersonate any user

Threat Model Comparison

Revocation

Serverside

Encrypted Cookie

Delete key in database

???
Choose your own adventure

Will likely end up implementing server-side verification for every request

Encrypted Cookies Benefits

Server to server, request scoped Authentication

Federated Authentication with JWT

"Lazy" authentication as redundant backup

Jeff

A tool for managing Sessions

Jeff

A tool for managing Sessions

// ... auth.go

func (s Server) Login(w http.ResponseWriter, r *http.Request) {
    user = Authenticate(r)
    if user == nil {
        // not authorized
    }
    // Key must be unique to one user amongst all users
    err := s.jeff.Set(r.Context(), w, user.Email)
    // handle error ... finish login
}

// ... main.go

    smgr := jeff.New(store, jeff.Redirect(
        http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            http.Redirect(w, r, "/login", http.StatusFound)
        })))

    mux.HandleFunc("/login", http.HandlerFunc(s.Login))
    mux.HandleFunc("/dashboard", smgr.Wrap(dashboardHandler))

Thank you

Alan Braithwiate
Segment
@Caust1c

https://github.com/abraithwaite/jeff

https://blog.abraithwaite.net/2018/08/14/two-sessions/