Save 37% off PRO during our Black Friday Sale! »

Death to Cookies, Long Live Tokens

Death to Cookies, Long Live Tokens

0cd73f2f2f39709bd03646e9225cc3d3?s=128

Matias Woloski

February 13, 2014
Tweet

Transcript

  1. Death to Cookies Long Live Tokens @woloski Auth0 @thepose

  2. None
  3. Client Database auth persistent connection 1990’s Client Server Life was

    easy
  4. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp
  5. Workstation Browser Database Internet Web Server auth C C E-commerce

  6. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

    (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT
  7. Cookie-based auth is a sub- optimal solution for today’s systems

  8. None
  9. Cookies don’t play well with CORS and different domains 1

  10. Cookie-based auth keep state in server side session (redis, mongo,

    sql)* ! * default config, cookie only is possible 2
  11. APIs don’t use cookies 3

  12. Cookies are coupled to the web framework, if you try

    to reuse a cookie issued by Java in Node, not easy 4
  13. Cookies don't play well in native apps 5

  14. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action="http://example.org/account/edit"                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="attacker@email.tld"  />   <script>document.csrf.submit();</script> 6
  15. … and other security issues https://github.com/blog/1466-yummy-cookies-across-domains http://arstechnica.com/business/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness/ 7

  16. Cookies can’t be used for delegated authentication (identity does not

    flow) 8
  17. Cookies break the purity of Single Page Applications 9

  18. None
  19. Browser Database Today Web Server (Scala) API (Ruby) API (Node)

    Phones Tablets Realtime (Sockets) API (Facebook) JWT JWT JWT JWT JWT AT JWT
  20. JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJleHAiOj EzOTIzMjMzNDAsImlhdCI6MTM5MjMxNjE0MH0.ceL8XM8RS_d6ipJ9Ys9nv1IJ1 809D5YCL_yoroPKHzo {    

           "typ":"JWT",          "alg":"HS256"   } {            "foo":"bar",     "exp":  1392323340,     "iat":  1392316140   } signature  =  HMACSHA256(         base64UrlEncode(header)           .           base64UrlEncode(payload),           ‘secret’) = header payload signature
  21. Demo https://github.com/auth0/token-auth-angular-guide

  22. Not everything is pink color

  23. art: http://abeon-hosting.com/security-blog/xss-attack-in-action-cookie-stealer/ Tokens XSS

  24. Sanitize and encode everything ! Google Caja https://developers.google.com/caja/

  25. Token expires, deal with refresh

  26. Confidential info, encrypt it

  27. Social auth

  28. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes
  29. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)
  30. Thanks! @woloski @thepose Auth0