JSFoo is in its ninth edition this year. Talks at JSFoo 2019 will cover the following topics:
- Component architecture -- how different web components have been stitched together to build apps; outcomes on UI and performance as a result of architecture choices
- Deployment practices for front-end and how Kubernetes and CI/CD fall into this picture
- Developer experience (DX)
- Functional programming paradigms: ReasonML and ClojureScript
- Privacy and Content Security Policy (CSP)
- New developments such as SvelteJS
Speakers from Razorpay, CloudCherry, Myntra, Innovaccer, GitLab, Microsoft, Atlassian and Gramener will share their work and learnings on these topics.
JSFoo is a conference for practitioners, by practitioners. JSFoo 2019 is a conference for:
- Front-end engineers
- Senior software developers
- Team leaders and engineering managers
- Fullstack developers
- InfoSec professionals
##JSFoo 2019 details:
Dates: 27 and 28 September
Venue: NIMHANS Convention Centre, Bangalore
The following workshops have been curated for before and after the conference:
For inquiries about conference tickets, workshop tickets and any other details, call JSFoo on 7676332020 or email firstname.lastname@example.org
For tickets and sponsorships, contact email@example.com or call +91-7676332020. For queries about proposing talks, write to firstname.lastname@example.org
Implementing session management the correct way
When it comes to security, a lot of attention is given to password management or password less methodologies. But what happens after a user has logged into a service? Since HTTP is stateless, we need to still maintain user identity across API calls - the way we do this is called session management. Hence, this is a very important aspect of any application from a security and a user experience point of view. Also since most API calls will require some sort of session authentication, scalability is also an important factor to consider.
Solutions to this problem are quite varied. Many developers like to keep things simple and use just one long lived access token (solution adopted by many libraries). While this is most insecure, it takes the least time to understand and implement. For developers that can spend more time on security, they experiment with the lifetime of this token, use two tokens with varying properties (lifetime, generation methodology, JWT vs Opaque) and implement various heuristics like detecting IP address or device fingerprint changes to minimise attack damage - all of these have many false negatives and positives.
To solve this problem once and for all, we made an open source SuperTokens. It prevents against all session related attacks: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database and CSRF. In the event that session tokens are compromised, the library also has token theft detection since it uses the concept of rotating refresh tokens - as recommended in the OAuth 2.0 RFC. Finally in terms of scalability, this library uses parent child hierarchy to form the tokens so that the space and time complexity is at least as good as all other solutions that do no employ rotating refresh tokens.
Overall, the aim of the talk is to touch briefly on the various aspects of session management, so that developers are well informed when they decide on their solution for their apps. It will cover all attacks, best practices, and also introduce our library.
- Introduction to session management, why it’s important, various attacks and scalability concerns.
- Currently used methods and their analysis in the context of security, scalability and user experience
- About SuperTokens and how it is the best solution out there.
It is mainly intended for full stack and backend developers, who have previously built at least one app or have previously dealt with at least the very basics of session management.