What follows is a 2 part series on session management — inspired by extensive conversations with over 70 developersand our own intensive research. We will explore different session management practices, identify issues andconverge on a solution to these issues. Through it all, I hope to leave you with clarity on deciding how to manageuser sessions (and auth tokens) for your application. In 20 minutes, we summarise all the important information ittook us hundreds of hours to obtain and document.
To get started, download and install GetFLV on your computer. Once installed, launch GetFLV, head over to the favorite video streaming website from the browser inside the GetFLV program and you can watch it directly from there or download it to your computer using the download button on the video page. Edtr.io is an intuitive open source web editor. It is fully adaptable to suit virtually any use case. Check out the demo and docs at https://edtr.io!
This is part 1 in a two-part series on session management.
Part 1: Introduction to session management, analysis of most commonly used session flows,and best practices
Part 2: Analysis of a new, open source session flow thatis secure and easy to integrate into existing systems — provided by SuperTokens
Specifically, in part 1, we cover
Note:Do not confuse session management with OAuth, as the latter is a protocoldesigned only for the purpose of delegation. Session management, for the purpose of this article, is about howauth tokens are handled, stored and changed during an active session — whether it be for OAuth flows, or forserver-client session flows.
Why is session security important?
Session security is an important consideration in the design of any system that requirescommunication between a server and a client. Improper security can lead to user accounts being vulnerable tounauthorized access. OWASP (Open Web Application Security Project — leading authority for security) considers theimproper implementation of authorisation / authentication as the second biggest risk toapplication security. Several notable hacks illustrate this point:
- The Docker hub database hack earlier this year resulted in stolen Github accesstokens. Source
- Gitlab had a vulnerability where all its user’s auth tokens were exposed in the URLs,had no expiry time and were susceptible to brute force attacks due to their short length. Source
- A software bug made it possible to steal access tokens — affecting 90 millionFacebook accounts. Source
- Youtube influencers’ accounts compromised for several days via session token theft tocompletely hijack their account and change their video content. The tokens were stolen via a malware installedon the victim’s computer. Source
It is tricky, time-consuming and expensive to correctly implement user session management.According to an a16z operating partner (toptier VC) and former Box CSO (Chief Security Officer), authentication and authorisation is the number onespending cost for organisations when it comes to their security budget. Source
This is the tip of the iceberg but we hope it is enough for anyone to realize that they couldbe the next Titanic if they do not correct their course.
JWTs vs Opaque accesstokens
We’ll briefly explore the two predominant types of tokens that are used in sessionmanagement. Several of the flows we discuss require an understanding of these tokens.
JSON Web Tokens (JWT)
- Each JWT contains specific information that can be interpreted by any party that has that token. Forexample, this information can contain the user ID of the user for whom it was issued.
- An advantage of using JWTs is scalability as the backend does not need to do a database lookup for everyAPI call.
- The drawback is that revoking a single token on demand (before it expires) can be difficult if methods likeblacklisting are not used (which impacts the scalability of the solution). However, onecan revoke all tokens by changing the signing key.
Opaque Tokens
- These are random strings which act as pointers to information that is held only by the system that issuesthem.
- These require a database/cache lookup each time they are used.
While these two token types have different properties, theft of either type can lead tounauthorised access to a user’s account.
Common attacks on sessions
Auth tokens are stored on the frontend and the backend and are frequently sent over thenetwork (depending on the session flow). As such, they are vulnerable to several types of attacks.
- OAuth token theft
- CSRF
- Session fixation
- Social Engineering / physical access
While it may seem that these attacks are unlikely, it is important to take sessionsecurity seriously and deploy appropriate measures. The vulnerability of the system is based on thecumulative probabilities of all the types of attacks.
Further on, we discuss how each of these attacks could lead to token theft and we explorebest practices to mitigate against these types of attacks.
To keep tokens safe, a system architect should not only prevent tokens from being stolenbut, as a fail-safe, also ensure that should token theft occur, the system is able to detect it as quickly aspossible. Detection is an important concept to consider and will be explored in the next section.
Detection vs Prevention of stolen authtokens
Prevention is a first line of defense and all attempts should be made to minimize theft.However, auth tokens are fundamentally susceptible to theft because they are transmitted to an untrusted party(the app’s frontend). Hence, detection of token theft has an important role to play in the security of the system.Existing detection methods rely largely on heuristic algorithms such as tracking sudden changesin IP addresses and browser (or mobile) fingerprints and flagging “unusual user behaviour”. Unfortunately, thesemethods themselves can be inaccurate, easy to spoof and difficult to implement. However, there is a reliable wayto integrate detection of theft in the session management flow and in part 2, wepropose a flow that does that.
On a related note, in cases where session vulnerabilities are publicly exposed, companiesmay release statements stating that there was no indication that the vulnerability was exploited. However, whatthey fail to mention is how extensively their system would be able to detect token theft in the first place!
Common ways of implementing sessionmanagement flows
We’ve identified the most commonly used session management flows and classified them into 5groups.
- Short — Medium term lived access token used to get a new access token
- Short — Medium term access token whose usage extends its expiry
- Short-lived access token with long-lived refresh token
1. Long-lived access token
- If the user voluntarily logs out, the access token is revoked and cleared from the frontend.
Getflv Open Source Alternative Free
Damage Analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend.
Effect of stolen auth tokens:
The attacker would have unauthorised access to thevictim’s account until the token’s expiry time — which could be weeks or months!
Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.
Once detected:
If the flow is implemented using JWTs, it may be difficult torevoke the token. However, stolen Opaque access tokens can be easily revoked.
2. Short-Medium term lived access token used to get a new access token
- The new access token can be used by the frontend even if the previous token has not expired.
- If the user voluntarily logs out, the access token is revoked on the backend and cleared from thefrontend.
- It is likely that a user will be logged out if the access token is short lived.
Damage analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend.
Effect of stolen auth tokens:
An attacker must constantly renew their token tomaintain unauthorised access.
Detection of theft:
To stay logged in, both the attacker and victim need torequest the server for a new access token before the current (stolen) token expires. Both would do this using thesame access token. If the same token is used twice for the request, then the system could deduce that there hasbeen a theft — depending on how the frontend is implemented. A shorter-lived access token would enable quickerdetection of theft, but it may also result in poor user experience due to repeated logouts when there is notheft.
Once detected:
The access token associated with this session would need to berevoked. It may be complex to stop the attack if the access token is a JWT.
3. Short-Medium term lived access token whose usage extends their expiry
- If the user voluntarily logs out, the access token is revoked and cleared from the frontend.
Damage Analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend. Note that this flow does not apply to JWTsas extended their expiry time would result in a change of the token value itself (thank you Mehmood Deshmukh for pointing thisout).
Effect of stolen auth tokens:
As long as either the victim or the attacker isactive, the attacker would be able to maintain unauthorised access.
Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.
Once detected:
The access token associated with this session would need to berevoked.
4. Short-lived access tokens
Getflv Open Source Alternative To Matlab
- If the user voluntarily logs out, the access token is revoked and cleared from the frontend.
Damage Analysis
There are no critical auth tokens in this case.However, this method frequently exposes the user’s credentials during transit — making it susceptible toattack.
Effect of stolen auth tokens:
If the token is stolen, the attacker will only beable to do damage for a short period of time.
Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.
Once detected:
Access tokens need not be revoked since they are short lived.However, if needed, Opaque access tokens can be revoked by removing them from the database.
5. Short-lived access token with long-lived refresh token
- If the user voluntarily logs out, the access token is revoked and cleared from the frontend.
Damage analysis
The critical auth token (refresh token) is perpetuallyexposed over two attack surfaces, the frontend, and the backend and occasionally exposed over transit.
Effect of stolen auth tokens:
Access token stolen: The attacker will haveunauthorised access for a short period of time (until token expiry).
Refresh token stolen: The attacker can use the stolen refresh token to get new access tokensand have unauthorised access to the victim’s account over a long period of time. In rare scenarios (describedbelow), this theft can be detected and the damage can be minimised.
Detection of theft:
Access token stolen: This theft may only be detected throughuse of heuristic algorithms or if the user notifies the provider / developer of the service.
Refresh token stolen: Detection of theft is possible in certain scenarios andimplementations. For example:
- One implementation could result in previous access tokens being immediately revoked upon generation of anew access token. This enables the system to recognize theft in the case when the attacker and victim areonline at the same time. For example: if the attacker uses the refresh token, the victim’s access token wouldbe revoked — causing the victim to request for a new access token. This would result in another request fromthe attacker and so on. If the backend could detect short interval requests for new access tokens, then itwould be possible to deduce that there has been a theft.
Once detected:
Access tokens need not be revoked since they are short lived.However, if needed, Opaque access tokens can be revoked easily by removing them from the database.
Refresh tokens can be revoked easily by removing them from the database.
These flows are not designed with token theft detection as a requirement. In Part 2, wepropose an alternate session flow that we believe would be far more secure. For now, we’ll revisit the types ofattacks that sessions are vulnerable to and some steps to mitigate against the risks.
Getflv Download
Best practices for attack mitigation
Man in the middle attacks
- When using HTTP or incorrectly implementing HTTPS:
If the application does not use https and securecookies, an attacker could connect to the same network as the victim, monitor the network packets and see theauth tokens in plain text during transit. Often, even when the application has an SSL certificate, anincorrect implementation can lead to MITM attacks. For example, ESPN.com sends auth cookies over unsecuredHTTP (as of 10th May 2019) and this Netcraft article elaborates on the prevalence of incorrectly implementedhttps. - When using a Proxy:
Two of the last three organizations I worked at, monitored all the traffic on theirnetwork. At workplaces, devices likely use the corporate wifi network. Companies can enable the connecteddevices to trust their network proxy as an SSL Certificate Authority as a prerequisite to connect to the wifi.This would enable them (or a malicious actor) to see auth token information during transmission.
OAuth token theft
XSS Attack
CSRF
Database/filesystem access
Getflv Review
- Store only the hashed versions of the refresh and access tokens in your database to prevent an attackerfrom hijacking any live session. This recommendation is applicable to all implementations described above.
- Using JWTs requires the private key to be stored on the server — which is susceptible to theft. If theattacker obtains the private key, they will be able to hijack both current and future sessions. To limit thedamage, the private key used to sign the JWTs will need to be changed — instantly invalidating all currentJWTs. In methods that use a refresh token (flow 5, Part 1 and the proposed flow in Part 2), changing the privatekey will not affect the user experience as the refresh token will be used to generate a JWT signed with thenew private key.
Session fixation
Brute force attack
Social engineering / Physical access
Getflv Free
- An attacker could simply read the cookies (even if they are secure or HttpOnly) byinspecting the application page if the service is accessible via a browser. On a mobile app, this is harderbut still possible.
- Depending on how an app’s session flows are implemented, an attacker could steal a user’s auth tokens evenafter the victim has logged out of the app. This video from 2013 shows how Twitter did not invalidate the sessioncookie even after the user logged out. As a commenter points out, this was still occurring even in 2016!