JSFoo 2019

On component architecture, front-end engineering and Developer Experience (DX)

Tickets

Implementing session management the correct way

Submitted by Rishabh Poddar (@rishabhpoddar) on Tuesday, 6 August 2019

Section: Crisp talk (20 mins) Technical level: Intermediate Status: Waitlisted

Abstract

When it comes to security, a lot of attention is given to password management or password less methodologies. But what happens after a user has logged into a service? Since HTTP is stateless, we need to still maintain user identity across API calls - the way we do this is called session management. Hence, this is a very important aspect of any application from a security and a user experience point of view. Also since most API calls will require some sort of session authentication, scalability is also an important factor to consider.
Solutions to this problem are quite varied. Many developers like to keep things simple and use just one long lived access token (solution adopted by many libraries). While this is most insecure, it takes the least time to understand and implement. For developers that can spend more time on security, they experiment with the lifetime of this token, use two tokens with varying properties (lifetime, generation methodology, JWT vs Opaque) and implement various heuristics like detecting IP address or device fingerprint changes to minimise attack damage - all of these have many false negatives and positives.
To solve this problem once and for all, we made an open source SuperTokens. It prevents against all session related attacks: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database and CSRF. In the event that session tokens are compromised, the library also has token theft detection since it uses the concept of rotating refresh tokens - as recommended in the OAuth 2.0 RFC. Finally in terms of scalability, this library uses parent child hierarchy to form the tokens so that the space and time complexity is at least as good as all other solutions that do no employ rotating refresh tokens.
Overall, the aim of the talk is to touch briefly on the various aspects of session management, so that developers are well informed when they decide on their solution for their apps. It will cover all attacks, best practices, and also introduce our library.

Outline

  • Introduction to session management, why it’s important, various attacks and scalability concerns.
  • Currently used methods and their analysis in the context of security, scalability and user experience
  • About SuperTokens and how it is the best solution out there.
  • Q&A

Requirements

It is mainly intended for full stack and backend developers, who have previously built at least one app or have previously dealt with at least the very basics of session management.

Speaker bio

Rishabh is the CTO and co-founder of SuperTokens (https://supertokens.io) - the worlds best session management library. He is a full stack engineer, with an expertise in relational and NoSQL databases, distributed systems, Javascript & Java, Operating Systems, react JS and react native. He got his first class bachelors degrees in Computer Science from Imperial College London (graduated in 2015).

Links

Slides

https://docs.google.com/presentation/d/1tDjcbgb62bdnT3lvwSojtzCYrqJ33kDIBhvtd5JuTEM/edit?usp=sharing

Preview video

https://youtu.be/l_rFKbiwNc8

Comments

  •   Zainab Bawa (@zainabbawa) Reviewer 6 months ago

    Thanks for this interesting proposal, Rishabh. The challenge with this proposal is that this is a pitch for the solution you have built i.e., Super Tokens. What is in it for participants who don’t want to use Super Tokens but want to understand how to solve the session management problem?

    While you may argue that Super Tokens is open source and is therefore good for the community, nowhere in the proposal do I find a comparison of Super Tokens with similar solutions available. Why should a developer pick Super Tokens over other available options? What is the one big win of Super Tokens? What are the compromises with using Super Tokens?

    What is the larger take home point for developers beyond the pitch for Super Tokens? For example, comparing various approaches to doing session management and the pros and cons of each approach is informative for participants, without getting into the pitch for Super Tokens.

    Look forward to your responses.

    •   Rishabh Poddar (@rishabhpoddar) Proposer 6 months ago

      Hi. Thank you for your query. Here are my thoughts:
      - Apart from the SuperTokens logo on each slide, I mention SuperTokens only towards the very end of the presentation. Most of the talk will be about session management practices in general
      - For each session management approach, I can say a list of session management solutions that employ that method. My entire talk is about comparing the various methods and listing their pros and cons. Hence, in a way, I will be comparing SuperTokens to other solutions.
      - I will add cons of using SuperTokens to the presentation once I know that the talk has been approved.
      - “For example, comparing various approaches to doing session management and the pros and cons of each approach is informative for participants, without getting into the pitch for Super Tokens.” -> I believe that most of the talk is about this anyway.
      - Also note that the presentation is a minimal text presentation.. You can view the notes to get an idea of what I will be talking about.

      I hope these answer your questions. Looking forward to hearing from you!

  •   Chirag Jain (@chiragj) 6 months ago

    Hi Rishabh, great content.
    I liked the way you progressively discussed all the different approaches and their respective pitfalls.
    Can you talk about how to identify these problems that will allow the developer to compare multiple solutions and take a decision on his own.

    •   Rishabh Poddar (@rishabhpoddar) Proposer 6 months ago

      Thank you! The only way to identify problems with a library is to study their code or read their documentation. You want to start by understanding their session flow (short/long lived access token, token type, using refresh token or not etc..). For each type of flow, I will be talking about their pros and cons. Hence, I’m confident that after hearing my talk, you would be able to make an informed decision when choosing the best library for session management for your use case.

      I hope I answered your question. If not, please feel free to clarify

  •   Leena S N (@leenasn) 6 months ago

    Rishabh, great proposal. One feedback though i.e. its not clear how Super Tokens solve all the mentioned problems. Explaining the solutions in detail on how Super Tokens solve these, the audience will be able to understand Super Tokens better. And like Chirag mentioned above, it will help the audience to take decisions on their own too.

    •   Rishabh Poddar (@rishabhpoddar) Proposer 6 months ago

      Hi. I do go into detail about how SuperTokens solves these problems. But yes, you are right in the sense that I do not explain every aspect of the solution. The main reason for that is the time limit of 15 mins talk + 5 mins questions.

Login with Twitter or Google to leave a comment