Qual método usar para deixar um usuário logado (JWT cookie vs SESSION)

Então, minha duvida é a seguinte, qual o melhor método para se criar uma “sessão” de logado para o usuário.

Eu aprendi a criar essa sessão usando JWT em cookie, porém o cookie é acessível pelo navegador, e lá tem algumas informações como o ‘id‘ do usuário que uso para dar alguns SELECT no site.

Eu fiz validação, coloquei até uma criptografia que um amigo me mandou, que deixou mais seguro doq só usar base64.

Porém consigo fazer a mesma coisa usando SESSION.

Qual o melhor método para criar esse status de “logado” e o porquê?


Eu faço essa pergunta pois quero aprender o método mais leve para o servidor, e o mais seguro, não me sinto tão confortável em deixar que o usuário possa acessar as informações no cookie.

Session key is same throughout the session, can this behavior be exploited?

this application uses session key instead of CSRF token but this session key is same throughout the session, its not changing. It only changes if I logout and then again login in the application.

My question is

  1. Is session key and CSRF token similar?
  2. Can this behavior of key remaining same throughout the session be exploited by an attacker in any way?

Re-install Ubuntu 18.04 desktop and session – failed session issue

When I am trying to re-install ubuntu-desktop I get dependency issue.

first is missing gdm3, gnome-shell, nautilus and ubuntu-session

WHen I try to install gdm3, appear dependency issue that libgdm1 version is not correct (required 3.28.0-ubuntu1, but installed latest)…

How to solve this conflict as I am not able to login anymore, failed session issue

como restauro um valor de um objeto session no laravel?

olá,

tenho este objeto de session e não consigo acessar os arrays. Como faço? Itero? Qual laço usaria para ter uma determinada posição dos arrays?

Cart {#268 ▼   -items: array:2 [▼     2 => array:5 [▶]     1 => array:5 [▶]   ]   #connection: null   #table: null   #primaryKey: "id"   #keyType: "int"   #perPage: 15   +incrementing: true   +timestamps: true   #attributes: []   #original: []   #relations: []   #hidden: []   #visible: []   #appends: []   #fillable: []   #guarded: array:1 [▶]   #dates: []   #dateFormat: null   #casts: []   #touches: []   #observables: []   #with: []   +exists: false   +wasRecentlyCreated: false } 

What is the best way to store and manage client server server and back session information and authorisation?

I have scenario, where I have javascript front-end connected using AJAX communicating with Django-Rest-Framework backend. Users authenticate using JWT tokens. Backend is acting as chatbot and receiving/sending messages as JSON objects.

Now in some instances, I sent this data to infermedica API which does medical analyses. This API does not have direct “client keys”. I need to pass JSON messages from the server (using headers to authenticate).

In many instances informedica sends, additional questions bot needs to ask from the client, in my case I have limited this to 15 questions. After this it’s passing the response object back, consisting most likely medical condition. Based on the condition I then call 2 other endpoints giving treatment advice and a possibility to schedule appointments with suitable medical professional.

My question is what is the good way to store the state of these requests to make sure all the info is passed to informedica and that response is send back to a right user.

I would like this to be as real-time as possible. My considerations is to store session info using Redis on server side keeping the track of user and users requests as key values and passing messages back based on this.

Is there an alternative way of somehow passing the authentication state directly to the client without actually sending the keys?

Is there a good open source project where something like this is done so I could look at the code? Python preferred.

This would be highly useful as I could just use browser cache for the request information and I can pass correct type of JSON request directly from the client.

Magento 2.3.1 session problem with Redis

I am using Magento 2.3.1 with Redis 5.0.4. I use it for session and backed cache. My

env.php file

is this for session:

x-frame-options' => 'SAMEORIGIN',     'MAGE_MODE' => 'developer',     'session' => [         'save' => 'redis',         'redis' => [             'host' => '127.0.0.1',             'port' => '6379',             'password' => '',             'timeout' => '2.5',             'persistent_identifier' => '',             'database' => '2',             'compression_threshold' => '2048',             'compression_library' => 'gzip',             'log_level' => '3',             'max_concurrency' => '6',             'break_after_frontend' => '5',             'break_after_adminhtml' => '30',             'first_lifetime' => '600',             'bot_first_lifetime' => '60',             'bot_lifetime' => '7200',             'disable_locking' => '0',             'min_lifetime' => '60',             'max_lifetime' => '2592000',             'sentinel_master' => '',             'sentinel_servers' => '',             'sentinel_connect_retries' => '5',             'sentinel_verify_master' => '0' 

and this for backend:

'cache' => [         'frontend' => [             'default' => [                 'id_prefix' => '358_',                 'backend' => 'Cm_Cache_Backend_Redis',                 'backend_options' => [                     'server' => '127.0.0.1',                     'database' => '0',                     'port' => '6379',                     'password' => '' 

Everything seems fine, when monitor Redis I see data.

But in admin, in All customers > Grid

I can’t sort the fields with any column. It just refreshes the page and always the records are the same.

This happens only in this grid…Products and the others grids the sorting is working fine.

Any ideas please where to check?

Open ID Connect Session Management Access/Refresh Token vs Session iFrame

We have a web app in which we allow users to log into the app using any Open ID provider(e.g. Okta, Google, Facebook etc.). We want to implement the correct Open ID Connect prescribed methodology/workflow to keep the user logged into the site.

The existing implementation, looks at the expiry of the Access Token then if it’s close to expiry uses a Refresh Token to get a new Access Token to keep the user logged in. I feel like this is wrong. When a user logs in to the web app, the Identity Token is used to Authenticate the identity of the user using the Authorization Code workflow. The Access Token and Refresh Token are stored on the server side. Periodically, the Refresh Token is used to get new Access Tokens to keep the user logged into the site. I believe this is a security risk because –

Imagine if a user is logged onto his OP account in a browser. He opens up Sky and is directly logged into MP because he’s already logged into MP. He then in a separate tab, logs out of his OP account. He will continue to be logged into MP for days on the basis of this Refresh Token/Access Token mechanism! Isn’t this a security risk?

If feel like the correct way to go about this is to use Session Management using iframes as prescribed here on OIDC – https://openid.net/specs/openid-connect-session-1_0.html

For more context, when a user logs into our WebApp we pull data from the OP’s UserInfo endpoint to create a profile within our WebApp and set permissions/roles within our app based on data sent over from the OP’s UserInfo endpoint. We continue doing this periodically. For this purpose, I feel like using the Access Token(and using the Refresh Token to get new Access Token) to access the UserInfo API is correct because it conforms to the OAuth 2.0 concept of protecting/authorizing API/Resource endpoints using Access Tokens.

I want to know if this is indeed the correct way to manage how a user should be logged in when supporting Open ID Connect.

How does this Session work (web)

It is difficult for me to fully understand this whole process.

I am using express.js and express-session.js with Node.

Now if someone logs in, a session is stored in the session store(server side) and as a cookie (client side).

Besides other configuration options, there is:

my session name is : 'session_ID' and the secret is : 'secret' (*just for this demonstration*) 

Example: Server side-> Store: sess:II3l_VBObKhFSN_qo3cu5mL5bjZzCJwL :{\"cookie\":{\"originalMaxAge\":300000,\"expires\":\"2019-04-11T18:42:22.104Z\",\"secure\":false,\"httpOnly\":true,\"path\":\"/\",\"sameSite\":true},\"userId\":\"5cad03dbba90381e7a1c150f\"}

Client side-> Cookie: (see Screenshot)

Now the value of the cookie is the following:

session_ID:"s%3AII3l_VBObKhFSN_qo3cu5mL5bjZzCJwL.1d1i6LfkW%2F%2BcrkvDvJqsPTvybmNenEaMgj87vTRrYVY" 

I know that s%3 is some kind of prefix

then there is the sessionId: AII3l_VBObKhFSN_qo3cu5mL5bjZzCJwL

and the last thing after the dot (.): 1d1i6LfkW%2F%2BcrkvDvJqsPTvybmNenEaMgj87vTRrYVY

So correct me if I am wrong but my assumption is:

the sessionID is long enough so it will be safe against bruteforcing a right sessionID and logging in as someone else.

If a client sends a request with the cookie, I can get his data from the session store (here it would be the userId) and make decisions based on that.

So what is the thing after the dot? 1d1i6LfkW%2F%2BcrkvDvJqsPTvybmNenEaMgj87vTRrYVY

Why do I need a secret?

Magento 2 Increase guest session time and keep the items in cart for 20 days

I want t increase guest user session time in magento. If guest user add to cart and just go for lunch or any other activity putting his/her website open in browser, when user come after 5-6 hours check website after 6-7 days they see their item added to cart in website.

How can we do that? How can i make persistent guest session so whenever guest customer come to site they see their added product in cart?

Right now if customer come after 4-5 hours cart gets empty.

Any help would be appreciated