Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Offline logout

Offline logout

Interesting logout use case.

Igor Wojda

March 26, 2018
Tweet

More Decks by Igor Wojda

Other Decks in Technology

Transcript

  1. Solving offline logout
    By Igor Wojda
    @igorwojda

    View full-size slide

  2. Not so long long time ago...

    View full-size slide

  3. Username & password
    Login request
    Other request
    Other request

    View full-size slide

  4. Why this is not
    very secure?

    View full-size slide

  5. Username & password

    View full-size slide

  6. Token
    209eb9bb-2f6c-40d6-a9b9-912257492b61

    View full-size slide

  7. Token Renewal Timeout

    View full-size slide

  8. Token per client

    View full-size slide

  9. Token invalidate

    View full-size slide

  10. Online Logout

    View full-size slide

  11. Online logout
    Logout Request
    Additional operations

    View full-size slide

  12. Offline Logout

    View full-size slide

  13. Offline logout
    Logout Request X
    No network

    View full-size slide

  14. Option 1 – delete device token instantly
    Logout Request X
    No network

    View full-size slide

  15. Option 2 – delete device token device when online
    Logout Request X
    No network

    View full-size slide

  16. Logout user latter
    using the token
    Remove token
    instantly
    Goals

    View full-size slide

  17. Token
    Logout token
    Authentication token

    View full-size slide

  18. Token
    Press logout
    Is
    online?
    Delete authentication token
    Logout
    (hit logout
    endpoint
    sending
    logout token)
    Job scheduler
    runs logout job
    Invalidate
    both tokens
    Unregister
    device from
    receiving
    notifications
    NO
    Schedule logout Job
    YES
    Is
    online?
    YES

    View full-size slide

  19. ● https://android.jlelse.eu/solving
    -offline-logout-problem-
    f3b50da49e7eTable salt
    ● https://www.owasp.org/index.p
    hp/Session_Management_Cheat
    _Sheet#Session_Expiration
    ● https://security.stackexchange.
    com/questions/29988/what-is-
    certificate-pinning
    Materials
    Worth reading

    View full-size slide

  20. Thanks!
    ANY QUESTIONS?
    You can find me at
    @igorwojda
    [email protected]

    View full-size slide