session management – Cookieless Authentication

I am working on an authentication server that can act as a central place to manage authentication for multiple projects, sort of like keycloak or ory kratos.

While working on implementing refresh_tokens (RT) I got an idea for an alternative solution that would not rely on cookies. But first, what challenges do I see with using refresh_tokens:

Secure Cookies

I am currently storing the RT inside an HttpOnly cookie with the SameSite configuration set to strict to avoid the browser leaking the RT. This also requires me to either 1) have the authorization server run on the same site (e.g. auth.example.com) or 2) proxy the request though my API server to the authentication server.

When a client asks for a new access token (AT) the old RT get invalidated and the client receives a new pair of AT and RT, this works well for the happy case where things don’t break but IMO creates a bad UX in case something goes wrong e.g. the user is on a bad internet connection and request a new AT, while the server is processing the request the client loses the connection and never receives the new RT, now the user is in an invalid state and needs to sign in again.

A cookieless solution

  1. Generate a Private/Public Key Pair
  2. Alongside the username and password send the generated public key to the authentication server
  3. On success the authentication server returns a session ID that can be used to associate the current session with the public key that was send to the server
  4. The client stores the session ID and the private key in indexddb (set extractable to false)
  5. In order to request a new access token for a given session the client calls the authentication server with a short lived Access Token signed with the private key.

Private Key Storage

In order to prevent private keys from leaking outside the browser context we need to configure the CryptoKey object to not be extractable, this allows us to use the private key to sign the AT without directly accessing the key and preventing XSS.

MDN: https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey

Conclusion

I think this approach would have the same security characteristics compared to using refresh tokens but can provide a better UX in case of failure, additional I don’t have to run the authentication server on the same site as my client projects.

Am I missing something?

java – is it possible for spring jms to create one session on a connection while another thread has already closed this connection?

We use CachingConnectionFactory of Spring jms. And one thread tries to create one session on a connection. But it shows another thread has closed the connection just a few milliseconds ago. So there causes an exception in the first thread. We use ibm mq for underlying. And the above is what the ibm mq expert says. Is it possible? And how can we solve this problem? We use spring 3.0.2.

terminal – Error in Virtual Box: Failed to open a session for the virtual machine

I want to install Ubuntu 20.10 on Virtual Box 6.1.18, when I create the virtual machine is okay so I press start but when I want to search the ISO file this error appears to me.

enter image description here

I saw different solutions in the terminal for Windows, but any for Mac helped me. Downgrade Virtual Box isn’t an option because my professor requires this version.

dungeon world – So what do I do when a player gets bad luck at the start of the session?

To answer ‘what should I do?’, the answer is probably:

Ask the player if they had a good time. Ask them if they enjoyed the story. If the answer is “yes”, then you did everything right.

To answer ‘how to make the encounter easy’, the Dungeon World answer is: you don’t.

It’s not your job to make encounters easy or hard. It’s your job to be a fan of the characters, and it’s your job to fill their lives with adventure. These are your agendas, and it sounds like you followed them perfectly well.

If players have bad luck, that just means you’ll be in the “The hero is being challenged and is failing” part of the story, and it means they’ll earn XP and grow and come back stronger in the end. It’s not a problem at all (assuming the player is having fun)

Remember that Lord of the Rings features the early part where Frodo gets stabbed by a Ring Wraith and then needs to be saved by Aragorn, and then almost dies, and then needs to be saved again when traveling to the safety of Rivendell and then again by Elrond’s healing. I don’t think anybody considers it a bad story because the first encounter wasn’t easy.

http – When using load balancer with sticky session, what happens to session if associated srever

Typical scenario using load balancer (LB): user logs in, and after successful login, a server behind LB returns a session token. This sess token is proof that user has logged in, and also it is used to correlate session state.
Now, only the particular server behind LB, which logged in user, knows the session ID. So user requests need to be directed to same server each time. This is done through session stickiness configured in LB (Other way is to replicate session ID to all other servers, which i am not considering, since in most cloud providers, session stickiness is available, but other way of replicating session ID is not available at all, due to performance etc issues).
Q is: what is that particular server holding user session ID, crashes? Is it so that user is simply logged off, loses session state, and starts his session again?

PhpMyAdmin session is closed after 1440 seconds

Adding this to config file is supposed to avoid it

$cfg['Servers'][$i]['LoginCookieValidity'] = 2592000;

Now checking cookies I can see the one named pmaUser-1 expires on March 21, that’s correct.
However sessions keep expiring after 1440 seconds.
I know it’s not PHP, I have many other sites running in the same server and their sessions last forever.
Any idea what’s going on?

cookies – Does storing session id for remembering session requires user consent under GDPR?

My application provides public landing pages to visitors. Whenever the user visits the page or refreshes the page, we record analytics containing the IP address and browser information and generates a unique session ID.

The session ID is then stored in the local storage.

The landing page contains a lead form or RSVP form to be submitted by the visitor. We use the session ID stored in the storage to link the form submission with the session created.

  • Does this requires Cookies content to be displayed to the user?
  • Without the session-id, the user won’t be able to perform any activity on the page like lead submit or RSVP submit. Will it be the best practice to enforce the user to allow the cookies before the actual data is displayed and if declined, do not serve the data?
  • What if we do not use cookies or localStorage and store the session ID in a variable of SPA and use it to carry on lead submission or RSVP, will it still require user consent as per the GDPR?

network – Prevent IP session hijacking

I was thinking of the following scenario :

  • a network is behind a router (performing NAT) and firewall
  • this firewall denies all unsollicited incoming packet
  • a user on a computer of the network opens a browser, types in “www.google.com”. He therefore opens a port to establish a communication with a socket on google’s side

Our user feels secure but there is an attacker outside who is sending constantly to many IPs a spoofed TCP/IP packet with the source IP address of one of google’s server, with a low TCP number. He uses a malicious payload.

In my mind, there is a risk there that (rarely) the attacker hits is target, meaning that he hits a router where the firewall will let the packet inside the network because a connection was established indeed with the IP the attacker is spoofing. That way the attacker is able to make the computer on the network process the attacker’s data.

The scenario is even more favorable for the attacker with UDP.

What security measure in common routers/firewall prevent that?

PS : I asked that question yesterday and was dismissed quickly by someone who said I just did not know enough and this could not happen. I tried to do my research, and I still believe that this could happen. If you feel you have to close this, I would greatly appreciate a one line explanation on why what I highlighted could not happen.