You are viewing our old blog site. For latest posts, please visit us at the new space. Follow our publication there to stay updated with tech articles, tutorials, events & more.

Session implementation practicing OAuth2.0 fundamentals

Wednesday, October 12, 2016 | By
0.00 avg. rating (0% score) - 0 votes

What is OAuth 2.0 Protocol and benefits of practicing it for a Session Management system
OAuth 2.0 is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. The OAuth 2.0 protocol allows two parties to exchange information securely and reliably. In more practical terms, the most common uses of OAuth 2.0 involve two things:

  • Allowing a user to log into an application with another account. For example, Naukri enabling users to log in with their Facebook accounts.
  • Allowing one service to access resources on another service on behalf of the user. For example, Naukri accessing your Facebook profile in your name.

Now, before going into the depth of this implementation first, let’s understand what different types of Session Persistence are possible and how a traditional Login Session Works.

There are broadly two different implementations of session persistence: Database & Cookie-based session persistence. Let us understand a Cookie-based Session persistence.

Traditional Cookie-based Session: Cookie-based session is a stateless solution for session persistence done by storing all session data in a cookie in the user’s browser.The Session is then authenticated using Cookie in subsequent requests.

Such User Sessions are more susceptible to Browser hijack and man-in-the-middle attacks. This is because, HTTP Cookies can be hijacked and misused.
1

  • Browser requests user for their username and password, on complete authorization and authentication , the session gets created.
  • The Session is then updated & maintained, based on cookie values.
  • The User can navigate to logged-in pages.

While this approach is simple , there are also some improvements required in this approach.

Some key improvements needed in this approach are:

  • More secure, not purely Basic-Browser Authentication.
  • Reducing HTTP-Cookie vulnerability.
  • Device identification using Session information.

These key areas of improvements lead to a need for a more Secure & Robust implementation for Session Management. OAuth 2.0 Protocol was our choice for making our current system better as well as scaleable.

Login implementation@ Naukri with OAuth2.0 basics

This implementation uses Database Persistent Session management which has allowed us to go beyond the Basic-Browser Authentication
Server asks the user for their username and password. On complete authorization and authentication, session gets created. For creating a Session, Tokens are generated for the session and set as cookies values.

What happens in the background to create User Session?

  • Once user is authenticated, Session cookies are generated.
  • As per OAuth 2.0 , some cookie values are available only on HTTP domain, while some are accessible exclusively on HTTPS domain.
  • HTTP cookies are more susceptible to man-in-the-middle and browser hijack attacks. HTTPS Cookies are secure, as they can be accessed only over an SSL.

1

Why is this approach more secure?

  • When session gets created, two types of token are set – AT (Access Token) and RT(Refresh Token).
  • If the session gets hacked, AT value is the only value that gets hacked.
  • AT is short-lived value. It expires soon , hence the User account is not accessible for long.
  • Also, Session undergoes device-based authentication which keeps user’s other device-sessions safe.

Improvements using this approach?

  • Purely DB Based Session.
  • Session-to-device Mapping possible.
  • Centralized & Scaleable Solution.
  • HTTP-only Cookie vulnerability considerably reduced, as HTTPS Cookies are secure since they can be accessed only over an SSL
  • Forced logouts possibility added.

1
1
1

Posted in General, Mobile, Software Development, Web Technology
Tags: , , , ,