Implementing session management the correct way
When it comes to security, a lot of attention is given to password management or password less methodologies. But what happens after a user has logged into a service? Since HTTP is stateless, we need to still maintain user identity across API calls - the way we do this is called session management. Hence, this is a very important aspect of any application from a security and a user experience point of view. Also since most API calls will require some sort of session authentication, scalability is also an important factor to consider.
Solutions to this problem are quite varied. Many developers like to keep things simple and use just one long lived access token (solution adopted by many libraries). While this is most insecure, it takes the least time to understand and implement. For developers that can spend more time on security, they experiment with the lifetime of this token, use two tokens with varying properties (lifetime, generation methodology, JWT vs Opaque) and implement various heuristics like detecting IP address or device fingerprint changes to minimise attack damage - all of these have many false negatives and positives.
To solve this problem once and for all, we made an open source SuperTokens. It prevents against all session related attacks: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database and CSRF. In the event that session tokens are compromised, the library also has token theft detection since it uses the concept of rotating refresh tokens - as recommended in the OAuth 2.0 RFC. Finally in terms of scalability, this library uses parent child hierarchy to form the tokens so that the space and time complexity is at least as good as all other solutions that do no employ rotating refresh tokens.
Overall, the aim of the talk is to touch briefly on the various aspects of session management, so that developers are well informed when they decide on their solution for their apps. It will cover all attacks, best practices, and also introduce our library.
- Introduction to session management, why it’s important, various attacks and scalability concerns.
- Currently used methods and their analysis in the context of security, scalability and user experience
- About SuperTokens and how it is the best solution out there.
It is mainly intended for full stack and backend developers, who have previously built at least one app or have previously dealt with at least the very basics of session management.