Slide 1
Slide 1 text
@justinweiss
#deep-sessions
A Deep Dive into Sessions
Justin Weiss
Slide 2
Slide 2 text
@justinweiss
#deep-sessions
Slide 3
Slide 3 text
justinweiss.com
Slide 4
Slide 4 text
@justinweiss
#deep-sessions
A Deep Dive into Sessions
Justin Weiss
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
@justinweiss
#deep-sessions
We need to know our users
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
@justinweiss
#deep-sessions
http:
//catphotos.com/?breed=Persian&
location=Seattle&user=justin
Slide 9
Slide 9 text
@justinweiss
#deep-sessions
http:
//catphotos.com/?breed=Persian&
location=Seattle&user=admin
Slide 10
Slide 10 text
@justinweiss
#deep-sessions
session[:current_user_id] = @user.id
Slide 11
Slide 11 text
@justinweiss
#deep-sessions
Thank you!
Slide 12
Slide 12 text
@justinweiss
#deep-sessions
session[:current_user_id] = @user.id
Slide 13
Slide 13 text
@justinweiss
#deep-sessions
Always?
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
@justinweiss
#deep-sessions
My Three Phases of
Understanding
1. Do more of the thing that isn’t working
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
@justinweiss
#deep-sessions
My Three Phases of
Understanding
1. Do more of the thing that isn’t working
2. Avoid the thing that isn’t working
Slide 18
Slide 18 text
@justinweiss
#deep-sessions
My Three Phases of
Understanding
1. Do more of the thing that isn’t working
2. Avoid the thing that isn’t working
3. Learn the thing! (And use it correctly)
Slide 19
Slide 19 text
@justinweiss
#deep-sessions
Know about a user,
securely,
until they leave.
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
@justinweiss
#deep-sessions
http:
//catphotos.com/?breed=Persian&
location=Seattle&user=justin
Slide 22
Slide 22 text
@justinweiss
#deep-sessions
HTTP/1.1 200 OK
Date: Wed, 08 Mar 2017 22:57:05 GMT
...
X-Params-Breed: Persian
...
Slide 23
Slide 23 text
@justinweiss
#deep-sessions
HTTP/1.1 200 OK
Date: Wed, 08 Mar 2017 22:57:05 GMT
...
X-Params-Breed: Persian
...
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
@justinweiss
#deep-sessions
It’s managed by the browser,
not the server
Slide 26
Slide 26 text
@justinweiss
#deep-sessions
What does a cookie
look like?
Slide 27
Slide 27 text
@justinweiss
#deep-sessions
$ curl -I http:
//
www.google.com
HTTP/1.1 200 OK
Date: Wed, 08 Mar 2017 22:57:05 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=98=T
...
Transfer-Encoding: chunked
Accept-Ranges: none
Slide 28
Slide 28 text
@justinweiss
#deep-sessions
$ curl -I http:
//
www.google.com
HTTP/1.1 200 OK
Date: Wed, 08 Mar 2017 22:57:05 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=98=T
...
Transfer-Encoding: chunked
Accept-Ranges: none
Slide 29
Slide 29 text
@justinweiss
#deep-sessions
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host:
www.google.com
...
Cookie: NID=98=T
...
Slide 30
Slide 30 text
@justinweiss
#deep-sessions
< HTTP/1.1 200 OK
< …
< Set-Cookie: NID=98=T
...
> GET / HTTP/1.1
> Host:
www.google.com
>
...
> Cookie: NID=98=T
...
Slide 31
Slide 31 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \
path=/; domain=.google.com; HttpOnly
Slide 32
Slide 32 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \
path=/; domain=.google.com; HttpOnly
Slide 33
Slide 33 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \
path=/; domain=.google.com; HttpOnly
Slide 34
Slide 34 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep-2017 22:57:05 GMT; \
path=/; domain=.google.com; HttpOnly
Slide 35
Slide 35 text
@justinweiss
#deep-sessions
okie: name=justin; expi
th=/; domain=.google.co
Slide 36
Slide 36 text
@justinweiss
#deep-sessions
; expires=Thu, 07-Sep-2017 22:57:05 GMT;
gle.com; HttpOnly
Slide 37
Slide 37 text
@justinweiss
#deep-sessions
Cookie: name=justin; path=/; domain=.google.com; HttpOnly
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
@justinweiss
#deep-sessions
; expires=Thu, 07-Sep-2017 22:57:05 GMT;
gle.com; HttpOnly
Slide 40
Slide 40 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep
path=/; domain=.google.com; HttpOnly
Slide 41
Slide 41 text
@justinweiss
#deep-sessions
Cookie: name=justin; expires=Thu, 07-Sep
path=/; domain=.google.com; HttpOnly
@justinweiss
#deep-sessions
Slide 42
Slide 42 text
@justinweiss
#deep-sessions
=justin; expires=Thu, 07-Sep-2017 22:57:0
in=.google.com; HttpOnly
Slide 43
Slide 43 text
@justinweiss
#deep-sessions
What does this have to do
with sessions?
Slide 44
Slide 44 text
@justinweiss
#deep-sessions
–Archimedes, Junior Web Developer
Give a programmer a hash table
and they will move the earth.
Slide 45
Slide 45 text
@justinweiss
#deep-sessions
Set-Cookie: name=Justin;
Set-Cookie: favorite_color=Blue;
Set-Cookie: preferred_language=Ruby;
Slide 46
Slide 46 text
@justinweiss
#deep-sessions
Set-Cookie: username=justin; path=/; HttpOnly
Slide 47
Slide 47 text
@justinweiss
#deep-sessions
Set-Cookie: username=admin; path=/; HttpOnly
Slide 48
Slide 48 text
@justinweiss
#deep-sessions
class UsersController < ApplicationController
def greet
session[:name] = params[:name] if params[:name]
render plain: "Hello,
#{session[:name]}!"
end
end
Slide 49
Slide 49 text
@justinweiss
#deep-sessions
class UsersController < ApplicationController
def greet
session[:name] = params[:name] if params[:name]
render plain: "Hello,
#{session[:name]}!"
end
end
Slide 50
Slide 50 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie:
_session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3
bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1
Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln
PT0%3D
--533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/;
HttpOnly
Slide 51
Slide 51 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie:
_session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3
bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1
Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln
PT0%3D
--533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/;
HttpOnly
Slide 52
Slide 52 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie:
_session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3
bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1
Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln
PT0%3D
--533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/;
HttpOnly
Slide 53
Slide 53 text
@justinweiss
#deep-sessions
Rails.application.config.session_store :cookie_store,
key: '_session_my_app'
config/initializers/session_store.rb
Slide 54
Slide 54 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie:
_session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3
bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1
Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln
PT0%3D
--533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/;
HttpOnly
Slide 55
Slide 55 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie:
_session_my_app=OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3
bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjdTlueEo1
Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGhxYjFEWjZjb2Y3ZWln
PT0%3D
--533f89e5525959c122e31ff7eae5b886b2ed7fe9; path=/;
HttpOnly
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
@justinweiss
#deep-sessions
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
config/secrets.yml
Slide 58
Slide 58 text
@justinweiss
#deep-sessions
Rails.application.key_generator
Slide 59
Slide 59 text
@justinweiss
#deep-sessions
secret = Rails.application.key_generator
.generate_key("encrypted cookie")
sign_secret = Rails.application.key_generator
.generate_key("signed encrypted cookie")
encryptor = ActiveSupport
::MessageEncryptor.new(
secret,
sign_secret,
serializer: ActiveSupport
::MessageEncryptor
::NullSerializer)
Slide 60
Slide 60 text
@justinweiss
#deep-sessions
encryptor.decrypt_and_verify("OXJ2SkhNaFZBWDd1eDU3djhSekZRdmN6W
jNKUjN4dlBiMWt3bW9sVjM0OERIZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0
S3AvMVNjdTlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21SL2tIMGh
xYjFEWjZjb2Y3ZWlnPT0=
--533f89e5525959c122e31ff7eae5b886b2ed7fe9
")
Slide 61
Slide 61 text
@justinweiss
#deep-sessions
{
"session_id":"35481e34ef3c0d0ac83e4dccf8520120",
"name":"Justin"
}
Slide 62
Slide 62 text
@justinweiss
#deep-sessions
Rails.application.config.
action_dispatch.cookies_serializer = :json
config/initializers/cookies_serializer.rb
Slide 63
Slide 63 text
@justinweiss
#deep-sessions
• Rails stores session data inside a single cookie
• By default, the session data is turned into
JSON
• Rails signs and encrypts the cookie
• The session key and serializer can be
configured to be something different
Slide 64
Slide 64 text
@justinweiss
#deep-sessions
{
"session_id":"35481e34ef3c0d0ac83e4dccf8520120",
"name":"Justin"
}
Slide 65
Slide 65 text
@justinweiss
#deep-sessions
class UsersController < ApplicationController
def greet
session[:name] = params[:name] if params[:name]
render plain: "Hello,
#{session[:name]}!"
end
end
Slide 66
Slide 66 text
@justinweiss
#deep-sessions
curl -H "Cookie: _session_my_app=OXJ2SkhNaFZBW
Dd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3bW9sVjM0OER
IZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjd
TlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21
SL2tIMGhxYjFEWjZjb2Y3ZWlnPT0=—533f89e5525959c
122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly"
"http:
//localhost:3000/users/greet"
Hello, Justin!
Slide 67
Slide 67 text
@justinweiss
#deep-sessions
curl -H "Cookie: _session_my_app=OXJ2SkhNaFZBW
Dd1eDU3djhSekZRdmN6WjNKUjN4dlBiMWt3bW9sVjM0OER
IZ3lPUmV1UFB2MmlySzI0OXJtbTRDdmI3TGd0S3AvMVNjd
TlueEo1Y05zMnE3NTdsMVVmWWFVSXA5NVFOT0U9LS1tM21
SL2tIMGhxYjFEWjZjb2Y3ZWlnPT0=—533f89e5525959c
122e31ff7eae5b886b2ed7fe9; path=/; HttpOnly"
"http:
//localhost:3000/users/greet"
Hello, Justin!
Slide 68
Slide 68 text
@justinweiss
#deep-sessions
Slide 69
Slide 69 text
@justinweiss
#deep-sessions
Slide 70
Slide 70 text
@justinweiss
#deep-sessions
Slide 71
Slide 71 text
@justinweiss
#deep-sessions
Slide 72
Slide 72 text
@justinweiss
#deep-sessions
Slide 73
Slide 73 text
@justinweiss
#deep-sessions
Sessions beyond cookies
Slide 74
Slide 74 text
@justinweiss
#deep-sessions
curl -H "Cookie: _session_my_app={\"book\": Call me Ishmael. Some years
ago—never mind how long precisely—having little or no money in my purse,
and nothing particular to interest me on shore, I thought I would sail
about a little and see the watery part of the world. It is a way I have
of driving off the spleen and regulating the circulation. Whenever I
find myself growing grim about the mouth; whenever it is a damp, drizzly
November in my soul; whenever I find myself involuntarily pausing before
coffin warehouses, and bringing up the rear of every funeral I meet; and
especially whenever my hypos get such an upper hand of me, that it
requires a strong moral principle to prevent me from deliberately
stepping into the street, and methodically knocking people’s hats off—
then, I account it high time to get to sea as soon as I can. This is my
substitute for pistol and ball. With a philosophical flourish Cato
throws himself upon his sword; I quietly take to the ship. There is
nothing surprising in this. If they but knew it, almost all men in their
degree, some time or other, cherish very nearly the same feelings
towards the ocean with me. There now is your insular city of the
Manhattoes, belted round by wharves as Indian isles by coral reefs—
commerce surrounds it with her surf. Right and left, the streets take
Slide 75
Slide 75 text
@justinweiss
#deep-sessions
curl -H "Cookie: _session_my_app={\"book\": Call me Ishmael. Some years
ago—never mind how long precisely—having little or no money in my purse,
and nothing particular to interest me on shore, I thought I would sail
about a little and see the watery part of the world. It is a way I have
of driving off the spleen and regulating the circulation. Whenever I
find myself growing grim about the mouth; whenever it is a damp, drizzly
November in my soul; whenever I find myself involuntarily pausing before
coffin warehouses, and bringing up the rear of every funeral I meet; and
especially whenever my hypos get such an upper hand of me, that it
requires a strong moral principle to prevent me from deliberately
stepping into the street, and methodically knocking people’s hats off—
then, I account it high time to get to sea as soon as I can. This is my
substitute for pistol and ball. With a philosophical flourish Cato
throws himself upon his sword; I quietly take to the ship. There is
nothing surprising in this. If they but knew it, almost all men in their
degree, some time or other, cherish very nearly the same feelings
towards the ocean with me. There now is your insular city of the
Manhattoes, belted round by wharves as Indian isles by coral reefs—
commerce surrounds it with her surf. Right and left, the streets take
Slide 76
Slide 76 text
@justinweiss
#deep-sessions
ActionDispatch::Cookies::CookieOverflow
Slide 77
Slide 77 text
COOKIE
OVERFLOW
Slide 78
Slide 78 text
@justinweiss
#deep-sessions
How do you keep your
cookies small?
Slide 79
Slide 79 text
@justinweiss
#deep-sessions
user_id=1; expires=Thu, 07-Sep-2017 22:57:05 GMT; path=/;
domain=.google.com; HttpOnly
Slide 80
Slide 80 text
@justinweiss
#deep-sessions
What if you don't have
an account?
Slide 81
Slide 81 text
@justinweiss
#deep-sessions
user_id=35481e34ef3c0d0ac83e4dccf8520120; expires=Thu, 07-
Sep-2017 22:57:05 GMT; path=/; domain=.google.com; HttpOnly
Slide 82
Slide 82 text
@justinweiss
#deep-sessions
session_id=35481e34ef3c0d0ac83e4dccf8520120; expires=Thu, 07-
Sep-2017 22:57:05 GMT; path=/; domain=.google.com; HttpOnly
Slide 83
Slide 83 text
@justinweiss
#deep-sessions
1. Store the data in the cookie
2. Store a reference to the data in the cookie
Slide 84
Slide 84 text
@justinweiss
#deep-sessions
session[:name] = "Justin"
Slide 85
Slide 85 text
@justinweiss
#deep-sessions
Creating an ActiveRecord session
1. Generate a new random session id
2. Turn the session hash into a string
3. Save the id and data to a sessions table in
your database
4. Return the session id with Set-Cookie:
Slide 86
Slide 86 text
@justinweiss
#deep-sessions
Rails.application.config.session_store :cookie_store,
key: '_session_my_app'
Slide 87
Slide 87 text
@justinweiss
#deep-sessions
Rails.application.config.session_store :active_record_store,
key: '_session_my_app'
Slide 88
Slide 88 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858;
path=/; HttpOnly
Hello, Justin!
Slide 89
Slide 89 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858;
path=/; HttpOnly
Hello, Justin!
Slide 90
Slide 90 text
@justinweiss
#deep-sessions
$ curl -i "http:
//localhost:3000/users/greet?name=Justin"
HTTP/1.1 200 OK
...
Set-Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/;
HttpOnly
Hello, Justin!
session_id | data
a6c4946995fe1a7fe0e472610c368858 | BAh7BkkiCW5hbWUGOgZFRkkiC0p1c3RpbgY7AFQ=
Slide 91
Slide 91 text
@justinweiss
#deep-sessions
curl -H "Cookie: _session_my_app=a6c4946995fe1a7fe0e472610c368858; path=/; HttpOnly"
"http:
//localhost:3000/users/greet"
Hello, Justin!
Slide 92
Slide 92 text
@justinweiss
#deep-sessions
Finding an ActiveRecord session
1. Grab the session id out of the cookie
2. Look up the session id in the database
3. Grab the data associated with that id
4. Turn that data back into the sessions hash
Slide 93
Slide 93 text
@justinweiss
#deep-sessions
CacheStore
ActiveRecordStore
RedisSessionStore
MongoSessionStore
…
Slide 94
Slide 94 text
@justinweiss
#deep-sessions
Your Very Own Session Store
• find_session
• write_session
• delete_session
Slide 95
Slide 95 text
@justinweiss
#deep-sessions
Two kinds of session store
• CookieStore: store all data in the cookie
• Everything Else: store a pointer to data in
the cookie
Slide 96
Slide 96 text
@justinweiss
#deep-sessions
Two kinds of session store
• CookieStore: store all data in the cookie
• Everything Else: store a pointer to data in
the cookie
Slide 97
Slide 97 text
@justinweiss
#deep-sessions
Which session store is
right for you?
Slide 98
Slide 98 text
@justinweiss
#deep-sessions
Cookie Store
• No extra setup
• Syncs with the browser lifecycle
• Can only store 4kb of data
• Risk of session replay attacks
Slide 99
Slide 99 text
@justinweiss
#deep-sessions
Cookie Store
• No extra setup
• Syncs with the browser lifecycle
• Can only store 4kb of data
• Risk of session replay attacks
Slide 100
Slide 100 text
@justinweiss
#deep-sessions
CacheStore
• You probably already have a cache
• Built into Rails
• Fast -- usually kept in memory
• Sessions and cache fight for space - sessions can
get kicked out
• Resetting your cache expires all sessions
Slide 101
Slide 101 text
@justinweiss
#deep-sessions
CacheStore
• You probably already have a cache
• Built into Rails
• Fast -- usually kept in memory
• Sessions and cache fight for space - sessions can
get kicked out
• Resetting your cache expires all sessions
Slide 102
Slide 102 text
@justinweiss
#deep-sessions
CacheStore
• You probably already have a cache
• Built into Rails
• Fast -- usually kept in memory
• Sessions and cache fight for space - sessions can
get kicked out
• Resetting your cache expires all sessions
Slide 103
Slide 103 text
@justinweiss
#deep-sessions
CacheStore
• You probably already have a cache
• Built into Rails
• Fast -- usually kept in memory
• Sessions and cache fight for space - sessions can
get kicked out
• Resetting your cache expires all sessions
Slide 104
Slide 104 text
@justinweiss
#deep-sessions
DatabaseStore
• Keeps session data around until expiration
• Need to clean up expired sessions
• Might have capacity issues as session data
grows
Slide 105
Slide 105 text
@justinweiss
#deep-sessions
DatabaseStore
• Keeps session data around until expiration
• Need to clean up expired sessions
• Might have capacity issues as session data
grows
Slide 106
Slide 106 text
@justinweiss
#deep-sessions
DatabaseStore
• Keeps session data around until expiration
• Need to clean up expired sessions
• Might have capacity issues as session data
grows
Slide 107
Slide 107 text
@justinweiss
#deep-sessions
What’s the best session store?
• CookieStore
• CacheStore
• Database Store
Slide 108
Slide 108 text
No content
Slide 109
Slide 109 text
@justinweiss
#deep-sessions
Leaking Session IDs
Slide 110
Slide 110 text
No content
Slide 111
Slide 111 text
No content
Slide 112
Slide 112 text
@justinweiss
#deep-sessions
Use HTTPS!
Slide 113
Slide 113 text
@justinweiss
#deep-sessions
config.force_ssl = true
config/environments/production.rb
Slide 114
Slide 114 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=d01b4e1c3d9238e82452c678d0660cf4;
path=/; secure; HttpOnly
Slide 115
Slide 115 text
@justinweiss
#deep-sessions
JavaScript
and
Cross-site Scripting
Slide 116
Slide 116 text
@justinweiss
#deep-sessions
document.cookie
Slide 117
Slide 117 text
No content
Slide 118
Slide 118 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=d01b4e1c3d9238e82452c678d0660cf4;
path=/; HttpOnly
Slide 119
Slide 119 text
@justinweiss
#deep-sessions
Replay Attacks
Slide 120
Slide 120 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=
'{"session_id":"35481e34ef3c0d0ac83e4dccf8520120",
"credit":"400"}'
Slide 121
Slide 121 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=
'{"session_id":"35481e34ef3c0d0ac83e4dccf8520120",
"credit":"9999999"}'
Slide 122
Slide 122 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=encrypted-string-with-value-400
Cookie: _session_my_app=encrypted-string-with-value-400
Set-Cookie: _session_my_app=encrypted-string-with-value-300
Cookie: _session_my_app=encrypted-string-with-value-400
Slide 123
Slide 123 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=encrypted-string-with-value-400
Cookie: _session_my_app=encrypted-string-with-value-400
Set-Cookie: _session_my_app=encrypted-string-with-value-300
Cookie: _session_my_app=encrypted-string-with-value-400
Slide 124
Slide 124 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=encrypted-string-with-value-400
Cookie: _session_my_app=encrypted-string-with-value-400
Set-Cookie: _session_my_app=encrypted-string-with-value-300
Cookie: _session_my_app=encrypted-string-with-value-400
Slide 125
Slide 125 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=encrypted-string-with-value-400
Cookie: _session_my_app=encrypted-string-with-value-400
Set-Cookie: _session_my_app=encrypted-string-with-value-300
Cookie: _session_my_app=encrypted-string-with-value-400
Slide 126
Slide 126 text
@justinweiss
#deep-sessions
Set-Cookie: _session_my_app=encrypted-string-with-value-400
Cookie: _session_my_app=encrypted-string-with-value-400
Set-Cookie: _session_my_app=encrypted-string-with-value-300
Cookie: _session_my_app=encrypted-string-with-value-400
Slide 127
Slide 127 text
@justinweiss
#deep-sessions
Session Best Practices
Slide 128
Slide 128 text
@justinweiss
#deep-sessions
Prepare for the session
to go away at any time
Slide 129
Slide 129 text
@justinweiss
#deep-sessions
Don’t store
complex objects
Slide 130
Slide 130 text
@justinweiss
#deep-sessions
#
== Schema Information
#
# Table name: cart_items
#
# id :integer not null, primary key
# title :string
# quantity :integer
# created_at :datetime
# updated_at :datetime
#
class CartItem < ActiveRecord
::Base
...
end
Slide 131
Slide 131 text
@justinweiss
#deep-sessions
#
== Schema Information
#
# Table name: cart_items
#
# id :integer not null, primary key
# name :string
# quantity :integer
# created_at :datetime
# updated_at :datetime
#
class CartItem < ActiveRecord
::Base
...
end
Slide 132
Slide 132 text
No content
Slide 133
Slide 133 text
@justinweiss
#deep-sessions
•
❌ Reverse the change
•
❌ Delete all sessions
•
✅ Go into the corner and cry
Slide 134
Slide 134 text
@justinweiss
#deep-sessions
•
❌ Reverse the change
•
❌ Delete all sessions
•
✅ Go into the corner and cry
Slide 135
Slide 135 text
@justinweiss
#deep-sessions
Store references
to objects,
not objects themselves.
Slide 136
Slide 136 text
@justinweiss
#deep-sessions
Use sessions
with intent
Slide 137
Slide 137 text
@justinweiss
#deep-sessions
Use sessions
with intent
Slide 138
Slide 138 text
@justinweiss
#deep-sessions
Use sessions
with intent
Slide 139
Slide 139 text
@justinweiss
#deep-sessions
How to debug
session problems
Slide 140
Slide 140 text
@justinweiss
#deep-sessions
Isolate the problem
Slide 141
Slide 141 text
@justinweiss
#deep-sessions
expected input
…
problem area
…
expected output
Slide 142
Slide 142 text
No content
Slide 143
Slide 143 text
@justinweiss
#deep-sessions
What if your server’s
working fine?
Slide 144
Slide 144 text
@justinweiss
#deep-sessions
mitmproxy
Slide 145
Slide 145 text
No content
Slide 146
Slide 146 text
@justinweiss
#deep-sessions
Check your domain settings!
path=/; domain=.google.com;
Slide 147
Slide 147 text
@justinweiss
#deep-sessions
Decrypt your cookies
CookieDecryptor.decrypt("OXJ2SkhN…")
Slide 148
Slide 148 text
@justinweiss
#deep-sessions
Sessions are core to
the modern web
Slide 149
Slide 149 text
No content
Slide 150
Slide 150 text
@justinweiss
#deep-sessions
Complexity layered on
• More data? Serialize it / Store a pointer.
• Tampering? Add encryption.
• Cross-site Scripting? Add HttpOnly.
• Snooping? Add Secure.
Slide 151
Slide 151 text
It’s just code
Slide 152
Slide 152 text
It’s just code
Slide 153
Slide 153 text
@justinweiss
#deep-sessions
My Three Phases of
Understanding
1. Do more of the thing that isn’t working
2. Avoid the thing that isn’t working
3. Learn the thing! (And use it correctly)
Slide 154
Slide 154 text
No content
Slide 155
Slide 155 text
@justinweiss
#deep-sessions
Justin Weiss
@justinweiss
https://www.avvo.com
[email protected]
https://www.justinweiss.com/railsconf-2017
Thank you!
Slide 156
Slide 156 text
@justinweiss
#deep-sessions
Justin Weiss
@justinweiss
https://www.avvo.com
[email protected]
https://www.justinweiss.com/railsconf-2017
Thank you!
Slide 157
Slide 157 text
@justinweiss
#deep-sessions
Justin Weiss
@justinweiss
https://www.avvo.com
[email protected]
https://www.justinweiss.com/railsconf-2017
Thank you!
Slide 158
Slide 158 text
@justinweiss
#deep-sessions
Justin Weiss
@justinweiss
https://www.avvo.com
[email protected]
https://www.justinweiss.com/railsconf-2017
Thank you!
Slide 159
Slide 159 text
@justinweiss
#deep-sessions
Image Credits