Session tracking without URL field yet supporting "multi session"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Session tracking without URL field yet supporting "multi session"

Mariano Martinez Peck
Hi guys, 

I am evaluating some improvements for an app, and I would like these 2 features:

1) Do not expose _s in URL 
2) I want to be able to open multiple different seaside sessions from different tabs of the browser. 

I was checking the WACookieSessionTrackingStrategy subclasses but of course that is not gonna work because if I have multiple sessions opened in the browser, at #cookieFromContext:ifAbsent: there is no way I can guess which is the real session I must answer for that request. 
I am not against using cookies, but I cannot see how that could work. Anyone has a workaround?

As a second thought, I saw WASslSessionTrackingStrategy (my site does run with HTTPS over nginx) which looked interesting. Has someone used this before?  I have read a couple of problems with it:

" An interval that is too short can cause a premature termination of a session.
Also, some Web browsers might have their own timers that affect the lifetime of the SSL session ID. These Web browsers may not leave the SSL session ID active long enough to serve as a useful mechanism for session tracking.
"

I seems the timeout can be easily set in nginx. But I am wondering about what it says about browsers killing inactive SSL sessions IDs. Have anyone experienced this?

Thanks in advance, 

--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Johan Brichau-2
They only way I can think of is to store a session id in the browser sessionStorage, which is unique to each tab.
However, I do not think anyone has done so yet.

The question that pops to my mind is: why do you want to hide the _s in the url? If this is about security, it’s probably because you do not want someone to copy/paste the url and hijack the session?
You can prevent that by not using the session to track authentication, but a cookie. In other words:
- use a cookie for authentication (i.e. always require the cookie to be present)
- keep _s for session tracking
-> a user will need both the session id in the url _and_ the cookie to work

But perhaps there is another reason to keep the _s out of the url?

cheers
Johan

On 01 Oct 2015, at 15:20, Mariano Martinez Peck <[hidden email]> wrote:

Hi guys, 

I am evaluating some improvements for an app, and I would like these 2 features:

1) Do not expose _s in URL 
2) I want to be able to open multiple different seaside sessions from different tabs of the browser. 

I was checking the WACookieSessionTrackingStrategy subclasses but of course that is not gonna work because if I have multiple sessions opened in the browser, at #cookieFromContext:ifAbsent: there is no way I can guess which is the real session I must answer for that request. 
I am not against using cookies, but I cannot see how that could work. Anyone has a workaround?

As a second thought, I saw WASslSessionTrackingStrategy (my site does run with HTTPS over nginx) which looked interesting. Has someone used this before?  I have read a couple of problems with it:

" An interval that is too short can cause a premature termination of a session.
Also, some Web browsers might have their own timers that affect the lifetime of the SSL session ID. These Web browsers may not leave the SSL session ID active long enough to serve as a useful mechanism for session tracking.
"

I seems the timeout can be easily set in nginx. But I am wondering about what it says about browsers killing inactive SSL sessions IDs. Have anyone experienced this?

Thanks in advance, 

--
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Mariano Martinez Peck


On Sat, Oct 3, 2015 at 10:10 AM, Johan Brichau <[hidden email]> wrote:
They only way I can think of is to store a session id in the browser sessionStorage, which is unique to each tab.
However, I do not think anyone has done so yet.

Thanks for the idea, I wasn't aware of the sessionStorage. I will read about it. 
 

The question that pops to my mind is: why do you want to hide the _s in the url? If this is about security, it’s probably because you do not want someone to copy/paste the url and hijack the session?

Exactly. 
 
You can prevent that by not using the session to track authentication, but a cookie. In other words:
- use a cookie for authentication (i.e. always require the cookie to be present)
- keep _s for session tracking
-> a user will need both the session id in the url _and_ the cookie to work


That's exactly what I ended up doing. But I wanted to be able to have multiple sessions so the same cookie keeps a list of active sessions. Also, the session ID stored in the cookie are not the plain session ID because otherwise it would be very simple to hack. So when a new session ID is created I create another random token and I store that in a table at server side. And yes, I keep using _s for tracking. For this, I made a subclass of WAHandlerTrackingStrategy.

Then I had to make a request filter that would get the session ID from the _s and check if there is a cookie that holds a correct "token" for that cookie. 

If someone else is interested in this code I can share it. Even more if a "seaside dev" guy could take a brief look since I suspect I may be missing scenarios (like document handler expiration vs session expiration). 
 
But perhaps there is another reason to keep the _s out of the url?

cheers
Johan

On 01 Oct 2015, at 15:20, Mariano Martinez Peck <[hidden email]> wrote:

Hi guys, 

I am evaluating some improvements for an app, and I would like these 2 features:

1) Do not expose _s in URL 
2) I want to be able to open multiple different seaside sessions from different tabs of the browser. 

I was checking the WACookieSessionTrackingStrategy subclasses but of course that is not gonna work because if I have multiple sessions opened in the browser, at #cookieFromContext:ifAbsent: there is no way I can guess which is the real session I must answer for that request. 
I am not against using cookies, but I cannot see how that could work. Anyone has a workaround?

As a second thought, I saw WASslSessionTrackingStrategy (my site does run with HTTPS over nginx) which looked interesting. Has someone used this before?  I have read a couple of problems with it:

" An interval that is too short can cause a premature termination of a session.
Also, some Web browsers might have their own timers that affect the lifetime of the SSL session ID. These Web browsers may not leave the SSL session ID active long enough to serve as a useful mechanism for session tracking.
"

I seems the timeout can be easily set in nginx. But I am wondering about what it says about browsers killing inactive SSL sessions IDs. Have anyone experienced this?

Thanks in advance, 

--
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside




--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Esteban A. Maringolo
2015-10-03 12:35 GMT-03:00 Mariano Martinez Peck <[hidden email]>:
> On Sat, Oct 3, 2015 at 10:10 AM, Johan Brichau <[hidden email]> wrote:
>>
>> They only way I can think of is to store a session id in the browser
>> sessionStorage, which is unique to each tab.
>> However, I do not think anyone has done so yet.

> Thanks for the idea, I wasn't aware of the sessionStorage. I will read about
> it.

The problem with this is how you add the session parameter to requests
(both full and xhr ones)


>> The question that pops to my mind is: why do you want to hide the _s in
>> the url? If this is about security, it’s probably because you do not want
>> someone to copy/paste the url and hijack the session?

> Exactly.


>> You can prevent that by not using the session to track authentication, but
>> a cookie. In other words:
>> - use a cookie for authentication (i.e. always require the cookie to be
>> present)
>> - keep _s for session tracking
>> -> a user will need both the session id in the url _and_ the cookie to
>> work

> That's exactly what I ended up doing. But I wanted to be able to have
> multiple sessions so the same cookie keeps a list of active sessions. Also,
> the session ID stored in the cookie are not the plain session ID because
> otherwise it would be very simple to hack. So when a new session ID is
> created I create another random token and I store that in a table at server
> side. And yes, I keep using _s for tracking. For this, I made a subclass of
> WAHandlerTrackingStrategy.

> Then I had to make a request filter that would get the session ID from the
> _s and check if there is a cookie that holds a correct "token" for that
> cookie.
>
> If someone else is interested in this code I can share it. Even more if a
> "seaside dev" guy could take a brief look since I suspect I may be missing
> scenarios (like document handler expiration vs session expiration).

Not a Seaside Dev guy, but if you share it I'll take a look at it.

I think that for preventing session hijacking you don't need to remove
the _s parameter from the query arguments, but instead *add* new
information about the particular client to the session tracking in the
server, like IP, some sort of UA fingerprint, etc.

So if somebody hijacks the session ID, it will be rejected by the
server because it's coming from a different client other than the one
that initiated the session.


Esteban A. Maringolo
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Mariano Martinez Peck


On Sat, Oct 3, 2015 at 12:44 PM, Esteban A. Maringolo <[hidden email]> wrote:
2015-10-03 12:35 GMT-03:00 Mariano Martinez Peck <[hidden email]>:
> On Sat, Oct 3, 2015 at 10:10 AM, Johan Brichau <[hidden email]> wrote:
>>
>> They only way I can think of is to store a session id in the browser
>> sessionStorage, which is unique to each tab.
>> However, I do not think anyone has done so yet.

> Thanks for the idea, I wasn't aware of the sessionStorage. I will read about
> it.

The problem with this is how you add the session parameter to requests
(both full and xhr ones)


>> The question that pops to my mind is: why do you want to hide the _s in
>> the url? If this is about security, it’s probably because you do not want
>> someone to copy/paste the url and hijack the session?

> Exactly.


>> You can prevent that by not using the session to track authentication, but
>> a cookie. In other words:
>> - use a cookie for authentication (i.e. always require the cookie to be
>> present)
>> - keep _s for session tracking
>> -> a user will need both the session id in the url _and_ the cookie to
>> work

> That's exactly what I ended up doing. But I wanted to be able to have
> multiple sessions so the same cookie keeps a list of active sessions. Also,
> the session ID stored in the cookie are not the plain session ID because
> otherwise it would be very simple to hack. So when a new session ID is
> created I create another random token and I store that in a table at server
> side. And yes, I keep using _s for tracking. For this, I made a subclass of
> WAHandlerTrackingStrategy.

> Then I had to make a request filter that would get the session ID from the
> _s and check if there is a cookie that holds a correct "token" for that
> cookie.
>
> If someone else is interested in this code I can share it. Even more if a
> "seaside dev" guy could take a brief look since I suspect I may be missing
> scenarios (like document handler expiration vs session expiration).

Not a Seaside Dev guy, but if you share it I'll take a look at it.

Great, I will package it a bit better and do a "cleaning" pass since I made it work Friday afternoon ;)
 

I think that for preventing session hijacking you don't need to remove
the _s parameter from the query arguments, but instead *add* new
information about the particular client to the session tracking in the
server, like IP, some sort of UA fingerprint, etc.


Exactly. Note that I discarded the IP filter (WAProtectionFilter) because it would be a pain for users. Imagine they move to another network, they move from house to work, they connect / disconnect from VPN, ISP assigning new IP, etc..and you loose sessions. At least for my app a session may contains LOTS of tabs for lots of current work. And my session expirations are about 2 hours. So... for MY usecase, adding IP filter is not worth. 

What I indeed was thinking BESIDES adding that cookie thingy we are discussing here, is to add a WAUserAgentFilter (very very very easy to code), which would also make sure about user agent. From what I thought, it will only "loose" sessions in case the user updates the browser, which happens every in a while. But I am still not 100% convinced. I thought this could be cool if someone could still the cookies from a stolen machine or whatever. But... what I think is that if someone can have access to cookies of another machine, he could likely browse the app from there. Not sure. Thoughts?

 
So if somebody hijacks the session ID, it will be rejected by the
server because it's coming from a different client other than the one
that initiated the session.


Exactly, that's what my cookie filter does. 


--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Esteban A. Maringolo
2015-10-03 12:55 GMT-03:00 Mariano Martinez Peck <[hidden email]>:

>> I think that for preventing session hijacking you don't need to remove
>> the _s parameter from the query arguments, but instead *add* new
>> information about the particular client to the session tracking in the
>> server, like IP, some sort of UA fingerprint, etc.
>>
>
> Exactly. Note that I discarded the IP filter (WAProtectionFilter) because it
> would be a pain for users. Imagine they move to another network, they move
> from house to work, they connect / disconnect from VPN, ISP assigning new
> IP, etc..and you loose sessions. At least for my app a session may contains
> LOTS of tabs for lots of current work. And my session expirations are about
> 2 hours. So... for MY usecase, adding IP filter is not worth.

Roaming users are a problem for IP filtering.

> What I indeed was thinking BESIDES adding that cookie thingy we are
> discussing here, is to add a WAUserAgentFilter (very very very easy to
> code), which would also make sure about user agent. From what I thought, it
> will only "loose" sessions in case the user updates the browser, which
> happens every in a while. But I am still not 100% convinced. I thought this
> could be cool if someone could still the cookies from a stolen machine or
> whatever. But... what I think is that if someone can have access to cookies
> of another machine, he could likely browse the app from there. Not sure.
> Thoughts?

UA is very easy to spoof, so not realiable at all to be used as the
only part in an auth token (together with _s, of course).

I think there is no way to have it both ways, it is... being able to
have "one session per tab" in your browser, and also having a single
session token that survives the browser session.

Local storage is just a dictionary, and it will be readable by ANY
user of the browser, so it is very much like Cookies in this sense,
with the added part of requiring to recover the session token from it
before performing any HTTP request, and being recoverable not only by
your site, but with anybody
with access to the browser.
Session storage is localStorage but just for the tab session, so it
isn't available when you want to restart the session.

It's challenging, and maybe there is a trick to overcome this, but you
have to decide whether it is worth chasing it.

>> So if somebody hijacks the session ID, it will be rejected by the
>> server because it's coming from a different client other than the one
>> that initiated the session.

> Exactly, that's what my cookie filter does.

And that's what most websites does. Ever tried to access Facebook from
the Tor network? :)

Regards!

--
Esteban.

ps: I love authentication as domain, so I'll help think about this if
you decide to go for it :D
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Esteban A. Maringolo
2015-10-03 13:14 GMT-03:00 Esteban A. Maringolo <[hidden email]>:
> Local storage is just a dictionary, and it will be readable by ANY
> user of the browser, so it is very much like Cookies in this sense,
> with the added part of requiring to recover the session token from it
> before performing any HTTP request, and being recoverable not only by
> your site, but with anybody
> with access to the browser.

I meant, via XSS. Cookies and localStorage are secured by origin.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Mariano Martinez Peck
Hi Esteban,

OK.... I did a VERY QUICK pass on the code in order to send it. Note that it hasn't been tested much, I still have a couple of questions to solve/discuss, etc. Also, for some reason  I did not have yet the time to debug, it seems that sometimes at login time, the filter tells you are forbidden (the validation failed), but then you try again and it works...should be something simple to fix. Anyway, I am attaching the code now as is if you want to take an early view. Otherwise by Monday/Thuesday I hope I could have something better. 

Note also that this is the first time I deal with authentication, cookies, etc, so it may not be the best code ;) 

Improvements and feedback is welcome! Please read the class comment of both classes attached. 

Thanks,



On Sat, Oct 3, 2015 at 1:17 PM, Esteban A. Maringolo <[hidden email]> wrote:
2015-10-03 13:14 GMT-03:00 Esteban A. Maringolo <[hidden email]>:
> Local storage is just a dictionary, and it will be readable by ANY
> user of the browser, so it is very much like Cookies in this sense,
> with the added part of requiring to recover the session token from it
> before performing any HTTP request, and being recoverable not only by
> your site, but with anybody
> with access to the browser.

I meant, via XSS. Cookies and localStorage are secured by origin.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

WAQueryFieldAndCookieTrackingStrategy.st (9K) Download Attachment
WASessionCookieProtectionFilter.st (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Session tracking without URL field yet supporting "multi session"

Mariano Martinez Peck
Hi Esteban, 

OK the "problem" I told you in below email is easily changing WAQueryFieldAndCookieTrackingStrategy >> sessionsSeparator 
to use $&  instead. 

Now Philip answered me that in 3.1 WAHandlerTrackingStrategy is only used for session tracking, which "solves" another of my questions. 

So... I think you are ready to take a look if you want to. 

Feedback is welcome!

On Sat, Oct 3, 2015 at 1:48 PM, Mariano Martinez Peck <[hidden email]> wrote:
Hi Esteban,

OK.... I did a VERY QUICK pass on the code in order to send it. Note that it hasn't been tested much, I still have a couple of questions to solve/discuss, etc. Also, for some reason  I did not have yet the time to debug, it seems that sometimes at login time, the filter tells you are forbidden (the validation failed), but then you try again and it works...should be something simple to fix. Anyway, I am attaching the code now as is if you want to take an early view. Otherwise by Monday/Thuesday I hope I could have something better. 

Note also that this is the first time I deal with authentication, cookies, etc, so it may not be the best code ;) 

Improvements and feedback is welcome! Please read the class comment of both classes attached. 

Thanks,



On Sat, Oct 3, 2015 at 1:17 PM, Esteban A. Maringolo <[hidden email]> wrote:
2015-10-03 13:14 GMT-03:00 Esteban A. Maringolo <[hidden email]>:
> Local storage is just a dictionary, and it will be readable by ANY
> user of the browser, so it is very much like Cookies in this sense,
> with the added part of requiring to recover the session token from it
> before performing any HTTP request, and being recoverable not only by
> your site, but with anybody
> with access to the browser.

I meant, via XSS. Cookies and localStorage are secured by origin.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--



--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside