Tweet
Tweet

Slide 1

Slide 1 text

Solving offline logout By Igor Wojda @igorwojda

Slide 2

Slide 2 text

Not so long long time ago...

Slide 3

Slide 3 text

Username & password Login request Other request Other request

Slide 4

Slide 4 text

Why this is not very secure?

Slide 5

Slide 5 text

Username & password

Slide 6

Slide 6 text

Solution?

Slide 7

Slide 7 text

Token 209eb9bb-2f6c-40d6-a9b9-912257492b61

Slide 8

Slide 8 text

Token

Slide 9

Slide 9 text

Token Renewal Timeout

Slide 10

Slide 10 text

Token per client

Slide 11

Slide 11 text

Token invalidate

Slide 12

Slide 12 text

Online Logout

Slide 13

Slide 13 text

Online logout Logout Request Additional operations

Slide 14

Slide 14 text

Offline Logout

Slide 15

Slide 15 text

Offline logout Logout Request X No network

Slide 16

Slide 16 text

Option 1 – delete device token instantly Logout Request X No network

Slide 17

Slide 17 text

Option 2 – delete device token device when online Logout Request X No network

Slide 18

Slide 18 text

Logout user latter using the token Remove token instantly Goals

Slide 19

Slide 19 text

Solution?

Slide 20

Slide 20 text

Token Logout token Authentication token

Slide 21

Slide 21 text

Token Press logout Is online? Delete authentication token Logout (hit logout endpoint sending logout token) Job scheduler runs logout job Invalidate both tokens Unregister device from receiving notifications NO Schedule logout Job YES Is online? YES

Slide 22

Slide 22 text

● https://android.jlelse.eu/solving -offline-logout-problem- f3b50da49e7eTable salt ● https://www.owasp.org/index.p hp/Session_Management_Cheat _Sheet#Session_Expiration ● https://security.stackexchange. com/questions/29988/what-is- certificate-pinning Materials Worth reading

Slide 23

Slide 23 text

Thanks! ANY QUESTIONS? You can find me at @igorwojda [email protected]