User Panel
User Panel
User Panel
|
Posted: 9/29/2017 10:40:38 AM EDT
[#1]
Yes, this is generally how a session key / access token works.
A session is essentially the window of time of a given authentication. A lot of sites will have an 'unlimited' session key, or basically a key / token that never expires. But others will tag a session key / access token with an expiration date. Some will make this expiration date a hard date, while others may decide to 'refresh' the date whenever the session key is used (not idle). Encrypting the data connection is the primary method of securing the session key / access token in transit (e.g. https only). You also need to test the given site to mitigate any Cross Site Scripting vulnerabilities to prevent key / token theft. Using long / complex session keys are good to prevent key 'guessing' (use in combination with expiring keys). You can also constantly change the session key on behalf of the user without requiring a re-auth. |
|
|
|
Posted: 9/29/2017 11:17:45 AM EDT
[#2]
Quoted:
Here I how I understand it(forget about db input sanitizing, and hashing/salting for now): 1. visitor goes to login page for the domain. 2. login page retrieves client cookies for the domain. 3. if no cookies, the login page completes loading and gives user/pass form text boxes and button which user fills out and submits to login page A note on 1,2,3: Client sends request to login page for the domain, before the request is sent, if the browser has cookies for that domain, that are not expired, they are sent with the request to the server that is rendering the login page. Just don't want you thinking the page "retrieves" client cookies (unless you're using localStorage/sessionStorage as a token store which is  ).
The server or logic of the login page will determine, if cookies are sent, if the session is valid and redirect the client accordingly (i.e. if there is not a valid session with this session cookie value, redir to the login page or render the login form element, etc.) 4. login page queries website DB, finds username and validates the correct password 5. login page generates, say a random 100 character long a-Z & 0-9 string to use as cookie, inserts into DB cookies table, associates with foreign key of user account A note on 5: server middleware facilities (should) use a secure PRNG to generate the session ID, they can be stored in a DB or keystore or in memory, insert disclaimer about SSO/load balancing/proxies/etc here. Not sure if these details are relevant to your question but they can make a difference when you get to #10 6. login page pushes cookie to user after setting domain, cookie name/value, timeout, etc other cookie settings 7. login page redirects client to some User resource page 8. client opens user resource page, which retrieves client cookies for the domain. 9. client provides the cookie it was just given by login page Just to clarify on 8,9 again, the browser always sends the unexpired cookies for that domain with each request, there's not really a retrieving of cookies 10. User resource page looks for this particular 100 character string of text in the cookies DB table, find it, determines user ID associated with it, and then provides user-specific into to the client. voila Is that how it works in practice? if not, Is what I describe not feasable/secure/etc? Finally, what is a "session"? |
|
|
|
Posted: 9/29/2017 11:10:16 PM EDT
[#3]
Always set secure and httponly cookie attributes.
Also, there are many session management frameworks already available. Don't bother trying to invent your own. You will never be as smart nor have the time to test your own code compared to these supported frameworks. If you just want to roll your own to learn, no big deal but wouldn't go to production with it. |
|
|
|
Posted: 9/30/2017 8:51:09 AM EDT
[#4]
Quote HistoryQuoted:
Also, there are many session management frameworks already available. Don't bother trying to invent your own. You will never be as smart nor have the time to test your own code compared to these supported frameworks. If you just want to roll your own to learn, no big deal but wouldn't go to production with it. |
|
|
Win a FREE Membership!
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.
