Save 37% off PRO during our Black Friday Sale! »

Death to Cookies, Long Live Tokens

Death to Cookies, Long Live Tokens


Matias Woloski

February 13, 2014


  1. Death to Cookies Long Live Tokens @woloski Auth0 @thepose

  2. None
  3. Client Database auth persistent connection 1990’s Client Server Life was

  4. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp
  5. Workstation Browser Database Internet Web Server auth C C E-commerce

  6. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

    (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT
  7. Cookie-based auth is a sub- optimal solution for today’s systems

  8. None
  9. Cookies don’t play well with CORS and different domains 1

  10. Cookie-based auth keep state in server side session (redis, mongo,

    sql)* ! * default config, cookie only is possible 2
  11. APIs don’t use cookies 3

  12. Cookies are coupled to the web framework, if you try

    to reuse a cookie issued by Java in Node, not easy 4
  13. Cookies don't play well in native apps 5

  14. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action=""                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="attacker@email.tld"  />   <script>document.csrf.submit();</script> 6
  15. … and other security issues 7

  16. Cookies can’t be used for delegated authentication (identity does not

    flow) 8
  17. Cookies break the purity of Single Page Applications 9

  18. None
  19. Browser Database Today Web Server (Scala) API (Ruby) API (Node)

    Phones Tablets Realtime (Sockets) API (Facebook) JWT JWT JWT JWT JWT AT JWT
  20. JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJleHAiOj EzOTIzMjMzNDAsImlhdCI6MTM5MjMxNjE0MH0.ceL8XM8RS_d6ipJ9Ys9nv1IJ1 809D5YCL_yoroPKHzo {    

           "typ":"JWT",          "alg":"HS256"   } {            "foo":"bar",     "exp":  1392323340,     "iat":  1392316140   } signature  =  HMACSHA256(         base64UrlEncode(header)           .           base64UrlEncode(payload),           ‘secret’) = header payload signature
  21. Demo

  22. Not everything is pink color

  23. art: Tokens XSS

  24. Sanitize and encode everything ! Google Caja

  25. Token expires, deal with refresh

  26. Confidential info, encrypt it

  27. Social auth

  28. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes
  29. How to deal with protected images? Create signed requests

    (single URI authorization)
  30. Thanks! @woloski @thepose Auth0