Search icon
Start Writing
LaunchDarkly adShip Fast. Rest Easy. LaunchDarkly.
Hackernoon logoThe best way to securely manage user sessions by@supertokens.io

The best way to securely manage user sessions

Originally published by SuperTokens onΒ June 8th 2019 9,589 reads
Author profile picture

@supertokens.ioSuperTokens

The most secure and easy to implement solution for user session management

This is part 2 in a two-part series on session management. If the reader understands the general concepts of JWT (JSON web token) and user sessions, then Part 2 can be read without reading PartΒ 1.

Part 1: Introduction to session management, analysis of most commonly used session flows, and best practices

Part 2: Analysis of a new open source session flow that is secure and easy to integrate

Part 1 provided an educational guide into session management (how auth tokens are handled, stored and changed during an active session) and we discussed several commonly employed session flows. However, we believe that the flows mentioned in Part 1 are sub-optimum in terms of security for most use cases. We came across a flow conceptualized by the IETF (Internet Engineering Task Force) in RFC 6819. We’ve taken the proposed flow, built it and upon request of others, have open sourced our code for the wider community.

In this post, we’ll explore and analyze the session flow, talk through some implementation details and provide you with a customizable library. The library is production ready and can be integrated with your system in under a day (currently available for NodeJS andΒ MySQL).

Suggested Flow

Rotating refresh tokens with short-lived accessΒ tokens

Suggested Auth flowβ€Šβ€”β€ŠClick toΒ Zoom
  • Access tokens are short-lived and refresh tokens are long-lived.
  • When a new refresh token is obtained, the old refresh and access tokens are invalidated on the backend and removed from the frontend. Doing this properly is not straightforward. Please see β€œNotes for Implementation”, discussed later.
  • If the user voluntarily logs out, the access and refresh tokens are revoked and cleared from the frontend.

Damage analysis
The critical auth token is perpetually exposed over two attack surfaces, the frontend, and the backend and occasionally exposed overΒ transit.

Effect of stolen auth tokens:
Access token stolen: The attacker will have unauthorised access for a short period of time (until tokenΒ expiry)

Refresh token stolen: Detection of theft will enable the stolen refresh token to be invalidated, limiting the damage to a short period ofΒ time

Detection of theft:
Access token stolen: This theft may only be detected through the use of heuristic algorithms or if the user notifies the provider / developer of theΒ service.

Refresh token stolen: Detection of theft will be possible as long as both the attacker and victim use the refresh token at least once post the attack. This is illustrated through an exampleΒ below.

  • An attacker has managed to acquire the victim’s refresh tokenβ€Šβ€”β€ŠRT0. Upon expiry of the access token (AT0), both the victim and the attacker would be required to use RT0 to acquire a new set ofΒ tokens.
  • If the attacker uses RT0 first, then they will receive a new RT1 and AT1, which when used, will invalidate RT0. When the victim uses the invalidated RT0, the server would receive a clear indication that theft has occurred since the client should have used RT1. A similar argument works if the victim uses RT0Β first.
  • If both, the victim and the attacker, use RT0 at the same time, then one would get (RT1, AT1), and the other (RT2, AT2). The next request by either of them with the new access token would either invalidate RT1 or RT2, resulting in either the victim or the attacker to be eventually [1] logged out. Again, here the backend would get a clear indication ofΒ theft.

Once detected:
Access tokens need not be revoked since they are short lived. However, if needed, Opaque access tokens can be revoked by removing them from the database.

Refresh tokens can be revoked easily by removing it from the database.

That summarizes the discussion of the conceptual flow. Below, are some additional pointers to keep in mind for readers that would like to implement this flow on their own. Alternatively, we have an open source implementation of this flow available onΒ Github.

Notes for Implementation

  1. The backend invalidates previous tokens when it generates a new pair. In the situation where the frontend does not receive the new tokens (for whatever reason), it will continue to use the previous invalidated onesβ€Šβ€”β€Šresulting in the user being logged out. To prevent this, the backend should invalidate the previous tokens only when the frontend uses the new tokensβ€Šβ€”β€Šconfirming its successful receipt.
  2. The system generates a new, different refresh token (RT) each time a valid RT is used. To prevent false positives (an indication of theft) and user logouts, one must factor in race conditions that can occur on the frontendΒ [2].
  3. If a refresh token is revoked, then ideally its access token should also beΒ revoked.
  4. Detection of refresh token theft does not require the database to explicitly store invalidated tokens. This can be achieved through structuring the refresh tokens using parent-child hierarchies (see Github implementation).
  5. Implementations with JWT access tokens can be as scalable, in terms of space and time complexity, as session flow 5 in part 1. We only need to store one refresh token per logged in user per device in the database.

That concludes the bulk of the matter we have on session management. Below you will find a GitHub repository with the source code that deals with all of the implementation issues. It is highly customizable to your requirements and can be quickly integrated into your system. It is also very secure in terms of prevention and detection of token theft. We’d love to know what you think of itβ€Šβ€”β€Šplease do leave a comment or emailΒ us.

SuperToken Library

As long as the library is aliveβ€Šβ€”β€Šwe promise to support it (fix bugs, address issues, add features and update documentation) and be responsive (via SO, emailΒ etc).

To show some additional love to our early readers, we’re offering the following dedicated support:

  • Free consultations on your current session management system including identifying vulnerabilities and suggesting improvements for your particular useΒ case.
  • Free support for the SuperToken library. If you have any issues with implementation, bugs, and customisationsβ€Šβ€”β€Šwe’ll be available onΒ demand.

Dedicated support will only be free till the 10th of JulyΒ 2019!

If you refer others to the library (anyone who contributes to or uses the library), we will provide you and that person an additional month of free dedicated support beyond July. The more people, the more support (up to 6 months maximum). Refer to the Git readme to see more details regarding this.

Final conclusion and recommendations

Building a production-ready session management solution is nontrivial. It requires deep knowledge and is expensive in terms of time and money. Many developers do not prioritize session managementβ€Šβ€”β€Šleading to suboptimal, unsecured systems in production.

We’ve discussed various session flows in these two posts. Depending on the requirements, one flow might be better suited than the others. In general, our recommendation would be the following:

For services that deal with very sensitive data (eg: a stock trading platform or something like Ashley Madison), security may take precedence over user experience. The ideal flow would be a combination of session flow 3 and session flow 4 from part 1. Specifically, use short-lived access tokens whose active usage will extend expiry for some finite amount of time. However, this would require users to re-login when tokens expireβ€Šβ€”β€Šwhich could happenΒ often.

For all other services, the flow mentioned above is likely to be appropriate. Within this, the use of JWT access tokens is recommended (for easier scalability). However, if it’s important that access tokens be instantly revokable, then use Opaque access tokens. Additionally, security can be improved through the use of 2-factor authentication or passwordless login methods. The latter has the benefit of not requiring users to remember yet another password.

And that’s it! Please do let us know what you thought while reading this through the comments or by emailing us here. We hope this wasΒ useful.

Footnotes

[1] If using opaque token, then immediate logout, else they would be logged out after the expiry time of their newΒ JWT.

[2] This is a race condition problem: Let’s say a user has opened your app in Tab1 and Tab2 in their browser. Both these tabs share the same set of cookies. The following illustration demonstrates how a race condition can lead to userΒ logouts.

Related

Are you using JWTs for user sessions in the correct way?

5 reactions
#jwt
Author profile picture

@supertokens.ioSuperTokens

12min
05/13/20

Introducing The Velo Writing Contest by Wix & Hacker Noon

14 reactions
#velo
Author profile picture

@hackernooncontestsHacker Noon Contests

02/23/21

Tags

#cookies#identity-management#authentication#open-source#web-development
Join Hacker Noon

Create your free account to unlock your custom reading experience.