jsconf.uy - Death to Cookies Long Live Tokens

Death to Cookies Long Live Tokens @woloski @jfroma

Client Database auth persistent connection 1990’s Client Server Life was
easy

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory
kerberos token Life inside corp

Workstation Browser Database Internet Web Server auth C C E-commerce

Browser Database Today’s applications Web Server (Scala) API (Ruby) API
(Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

+80K Views

Cookie-based auth is a sub- optimal solution for today’s systems

Set-Cookie + CORS = doesn’t play well 1

Cookies are coupled to the web framework ! If you
try to reuse a cookie issued by Java in Node, not easy 2

APIs don’t use cookies, native apps either 3

Cookies lead to CSRF attacks <iframe style="display:none" name="hidden"></iframe> <form
name="csrf" action="http://example.org/account/edit" method="post" target="hidden"> <input type="hidden" name="email" value="[email protected]" /> <script>document.csrf.submit();</script> 4

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

How it works?

Not everything is pink color

art: http://abeon-hosting.com/security-blog/xss-attack-in-action-cookie-stealer/ Tokens XSS

Sanitize and encode everything ! Google Caja https://developers.google.com/caja/

Try token-based authentication in your next project

TOOOOOOOOKEEEENS

Thanks! @woloski @jfroma blog.auth0.com jwt.io

Appendix

JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLC JhbGciOiJIUzI1NiJ9 .eyJ1c2VyX2lkIjoiM TIzNDUiLCJlbWFpbCI 6ImZvb0BiYXIuY29tI
iwiZXhwIjoxMzkyMzI zMzQwLCJpYXQiOjEzO TIzMTYxNDB9 .KQma3tquGF_zKbLdX HV4zNJAupdHJdIk6L2 g6R8kcAY ! ! { "typ":"JWT", "alg":"HS256" } { "user_id": "12345", "email" : "[email protected]", "exp": 1392323340, "iat": 1392316140 } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), "secret") ! header payload signature encoded decoded

Token expires, deal with refresh

Conﬁdential info, encrypt it

Social auth

Tokens can get big Don’t over engineer Don’t do ﬁne
grained permissions Deﬁne scopes

How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests
(single URI authorization)

jsconf.uy - Death to Cookies Long Live Tokens

jsconf.uy - Death to Cookies Long Live Tokens

Matias Woloski

More Decks by Matias Woloski

Other Decks in Technology

Featured

Transcript

Death to Cookies Long Live Tokens @woloski @jfroma

Client Database auth persistent connection 1990’s Client Server Life was

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

Workstation Browser Database Internet Web Server auth C C E-commerce

Browser Database Today’s applications Web Server (Scala) API (Ruby) API

+80K Views

Cookie-based auth is a sub- optimal solution for today’s systems

Set-Cookie + CORS = doesn’t play well 1

Cookies are coupled to the web framework ! If you

APIs don’t use cookies, native apps either 3

Cookies lead to CSRF attacks <iframe style="display:none" name="hidden"></iframe> <form

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

How it works?

Not everything is pink color

art: http://abeon-hosting.com/security-blog/xss-attack-in-action-cookie-stealer/ Tokens XSS

Sanitize and encode everything ! Google Caja https://developers.google.com/caja/

Try token-based authentication in your next project

TOOOOOOOOKEEEENS

Thanks! @woloski @jfroma blog.auth0.com jwt.io

Appendix

JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLC JhbGciOiJIUzI1NiJ9 .eyJ1c2VyX2lkIjoiM TIzNDUiLCJlbWFpbCI 6ImZvb0BiYXIuY29tI

Token expires, deal with refresh

Conﬁdential info, encrypt it

Social auth

Tokens can get big Don’t over engineer Don’t do ﬁne

How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests