JSFoo 2019

On component architecture, front-end engineering and Developer Experience (DX)

Implementing session management the correct way

Submitted by Rishabh Poddar (@rishabhpoddar) on Aug 6, 2019

Section: Crisp talk (20 mins) Technical level: Intermediate Status: Waitlisted

Abstract

When it comes to security, a lot of attention is given to password management or password less methodologies. But what happens after a user has logged into a service? Since HTTP is stateless, we need to still maintain user identity across API calls - the way we do this is called session management. Hence, this is a very important aspect of any application from a security and a user experience point of view. Also since most API calls will require some sort of session authentication, scalability is also an important factor to consider.
Solutions to this problem are quite varied. Many developers like to keep things simple and use just one long lived access token (solution adopted by many libraries). While this is most insecure, it takes the least time to understand and implement. For developers that can spend more time on security, they experiment with the lifetime of this token, use two tokens with varying properties (lifetime, generation methodology, JWT vs Opaque) and implement various heuristics like detecting IP address or device fingerprint changes to minimise attack damage - all of these have many false negatives and positives.
To solve this problem once and for all, we made an open source SuperTokens. It prevents against all session related attacks: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database and CSRF. In the event that session tokens are compromised, the library also has token theft detection since it uses the concept of rotating refresh tokens - as recommended in the OAuth 2.0 RFC. Finally in terms of scalability, this library uses parent child hierarchy to form the tokens so that the space and time complexity is at least as good as all other solutions that do no employ rotating refresh tokens.
Overall, the aim of the talk is to touch briefly on the various aspects of session management, so that developers are well informed when they decide on their solution for their apps. It will cover all attacks, best practices, and also introduce our library.

Outline

  • Introduction to session management, why it’s important, various attacks and scalability concerns.
  • Currently used methods and their analysis in the context of security, scalability and user experience
  • About SuperTokens and how it is the best solution out there.
  • Q&A

Requirements

It is mainly intended for full stack and backend developers, who have previously built at least one app or have previously dealt with at least the very basics of session management.

Speaker bio

Rishabh is the CTO and co-founder of SuperTokens (https://supertokens.io) - the worlds best session management library. He is a full stack engineer, with an expertise in relational and NoSQL databases, distributed systems, Javascript & Java, Operating Systems, react JS and react native. He got his first class bachelors degrees in Computer Science from Imperial College London (graduated in 2015).

Links

Slides

https://docs.google.com/presentation/d/1tDjcbgb62bdnT3lvwSojtzCYrqJ33kDIBhvtd5JuTEM/edit?usp=sharing

Preview video

https://www.youtube.com/watch?v=l_rFKbiwNc8

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('You need to be a participant to comment.') }}

{{ formTitle }}
{{ gettext('Post a comment...') }}
{{ gettext('New comment') }}

{{ errorMsg }}