Death to Cookies, Long Live Tokens

Transcript

1. Death to Cookies Long Live Tokens @woloski Auth0 @thepose

2. None

3. Client Database auth persistent connection 1990’s Client Server Life was

   easy

4. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

   kerberos token Life inside corp

5. Workstation Browser Database Internet Web Server auth C C E-commerce

6. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

   (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

7. Cookie-based auth is a sub- optimal solution for today’s systems

8. None

9. Cookies don’t play well with CORS and different domains 1

10. Cookie-based auth keep state in server side session (redis, mongo,

    sql)* ! * default config, cookie only is possible 2

11. APIs don’t use cookies 3

12. Cookies are coupled to the web framework, if you try

    to reuse a cookie issued by Java in Node, not easy 4

13. Cookies don't play well in native apps 5

14. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action="http://example.org/account/edit"                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="[email protected]"  />   <script>document.csrf.submit();</script> 6

15. … and other security issues https://github.com/blog/1466-yummy-cookies-across-domains http://arstechnica.com/business/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness/ 7

16. Cookies can’t be used for delegated authentication (identity does not

    flow) 8

17. Cookies break the purity of Single Page Applications 9

18. None

19. Browser Database Today Web Server (Scala) API (Ruby) API (Node)

    Phones Tablets Realtime (Sockets) API (Facebook) JWT JWT JWT JWT JWT AT JWT

20. JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJleHAiOj EzOTIzMjMzNDAsImlhdCI6MTM5MjMxNjE0MH0.ceL8XM8RS_d6ipJ9Ys9nv1IJ1 809D5YCL_yoroPKHzo {    

           "typ":"JWT",          "alg":"HS256"   } {            "foo":"bar",     "exp":  1392323340,     "iat":  1392316140   } signature  =  HMACSHA256(         base64UrlEncode(header)           .           base64UrlEncode(payload),           ‘secret’) = header payload signature

21. Demo https://github.com/auth0/token-auth-angular-guide

22. Not everything is pink color

23. art: http://abeon-hosting.com/security-blog/xss-attack-in-action-cookie-stealer/ Tokens XSS

24. Sanitize and encode everything ! Google Caja https://developers.google.com/caja/

25. Token expires, deal with refresh

26. Confidential info, encrypt it

27. Social auth

28. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

29. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)

30. Thanks! @woloski @thepose Auth0