Sep 2019
23 Mon
24 Tue
25 Wed
26 Thu
27 Fri 08:55 AM – 05:00 PM IST
28 Sat 08:55 AM – 05:45 PM IST
29 Sun
Sep 2019
23 Mon
24 Tue
25 Wed
26 Thu
27 Fri 08:55 AM – 05:00 PM IST
28 Sat 08:55 AM – 05:45 PM IST
29 Sun
Rishabh Poddar
When it comes to security, a lot of attention is given to password management or password less methodologies. But what happens after a user has logged into a service? Since HTTP is stateless, we need to still maintain user identity across API calls - the way we do this is called session management. Hence, this is a very important aspect of any application from a security and a user experience point of view. Also since most API calls will require some sort of session authentication, scalability is also an important factor to consider.
Solutions to this problem are quite varied. Many developers like to keep things simple and use just one long lived access token (solution adopted by many libraries). While this is most insecure, it takes the least time to understand and implement. For developers that can spend more time on security, they experiment with the lifetime of this token, use two tokens with varying properties (lifetime, generation methodology, JWT vs Opaque) and implement various heuristics like detecting IP address or device fingerprint changes to minimise attack damage - all of these have many false negatives and positives.
To solve this problem once and for all, we made an open source SuperTokens. It prevents against all session related attacks: XSS, Brute force, Session fixation, JWT signing key compromise, Data theft from database and CSRF. In the event that session tokens are compromised, the library also has token theft detection since it uses the concept of rotating refresh tokens - as recommended in the OAuth 2.0 RFC. Finally in terms of scalability, this library uses parent child hierarchy to form the tokens so that the space and time complexity is at least as good as all other solutions that do no employ rotating refresh tokens.
Overall, the aim of the talk is to touch briefly on the various aspects of session management, so that developers are well informed when they decide on their solution for their apps. It will cover all attacks, best practices, and also introduce our library.
It is mainly intended for full stack and backend developers, who have previously built at least one app or have previously dealt with at least the very basics of session management.
Rishabh is the CTO and co-founder of SuperTokens (https://supertokens.io) - the worlds best session management library. He is a full stack engineer, with an expertise in relational and NoSQL databases, distributed systems, Javascript & Java, Operating Systems, react JS and react native. He got his first class bachelors degrees in Computer Science from Imperial College London (graduated in 2015).
https://docs.google.com/presentation/d/1tDjcbgb62bdnT3lvwSojtzCYrqJ33kDIBhvtd5JuTEM/edit?usp=sharing
Sep 2019
23 Mon
24 Tue
25 Wed
26 Thu
27 Fri 08:55 AM – 05:00 PM IST
28 Sat 08:55 AM – 05:45 PM IST
29 Sun
Hosted by
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}