Replay-Resistant Stateful Session Handling

I am currently creating an RPC server using gRPC and want a secure way to handle session tokens. I am currently using stateful session handling, where the user logs on and the server replies with an session token, which the client sends in every RPC request. The server then uses this token to verify that the client is authenticated, and that the calling user has sufficient permissions. All communication happens over TLS, all standard stuff.

I’m concerned about the possibility that if an attacker got a hold of a valid session token, they could then use the token to pose as the user who originally had that token. I’ve been wondering if there’s a standard or well known algorithm that would allow clients to generate new stateful session tokens before every request that would only be valid for one use.

I’m thinking this could work similarly to how TLS negotiates a session key from the client random, server random, and premaster secret. Both the client and the server could decide on a shared “seed” that will allow them both to produce peudorandom session tokens in a deterministic order, and an attacker who gets ahold of a session token will only be able to use it if the client hasn’t already. The server would verify the client’s session tokens by generating the next session token from the shared “seed”, and verifying that it matched the sent session token.

The benefit of this would be that session tokens would only be valid for one request, but this system would fail if an attacker somehow got ahold of the shared “seed”. Still, because the “seed” would never be sent over the wire, this could provide some extra security. Does something like this exist, and if not is this a solid idea worth implementing? I do not want to roll my own crypto, hence why I am primarily seeking some standard way of doing this. But if nothing like this exists, I want to know if this is a flawed idea or not.

Does Using Opaque Access Tokens Make My Server Stateful?

I am trying to understand statelessness in restful APIs in the context of authentication. Here’s the scenario:

  1. The user logs in.
  2. The server verifies the username and the password, and generates an opaque access token. It caches some information related to this token – for example, the expiration time, the userId, whether this token was explicitly invalidated before it expired, etc.
  3. The token is sent to the client, and the client sends it with every future request.

Fielding’s dissertation defines statelessness as:

“…such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client.”

In my example, the client is sending the token with every request, so the first condition is satisfied. However, my server has a context associated with this session that is stored in the sessions cache.

Does this make my application stateful?

If yes, then is it that true statelessness be achieved only if we are using JWTs? I am pondering upon this as JWTs are quite new, so how were architects building truly stateless services before they were invented?

Stateful Scripts in Automator?

Is there a way to run stateful bash scripts in automator?

I’m trying to run something depending if a file does or does not exist. With bash script alone in terminal the code below works and will show the correct output, depending on wether the file exists or not.

Only one line of output per run of the script is displayed either way.

FILE="/Volumes/Canvio1TB/EyeTV Archive/sync.ffs_lock" if test -f "$  FILE"; then     echo "$  FILE exists" else   echo "$  FILE does not exist" fi 

When I run this in automator as a “run shell script” action the output is:

/Volumes/Canvio1TB/EyeTV Archive/sync.ffs_lock exists

/Volumes/Canvio1TB/EyeTV Archive/sync.ffs_lock does not exist

Regardless of wether the file exists or not, the script generates both lines of output.

 

If there’s a better approach I’d be open to using it – I haven’t had success with the syntax of applescript running a command based on the (non)existence of a full path & file.

Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Stateful detection in Snort

From whatever I have read of Snort, it can analyse a single packet at a time and raise an alert based on its rules.

What if I wish to have a rule based on multiple packets such as analysis of a protocol situation that can maintain its states, e.g. TCP or TLS?

Session Stickiness in a Stateful Microservice

I have created a simple Spring Boot Microservice for a game of Rock Paper Scissors. It involves in memory storage of registered players as well as the rounds that they play. Now, if I have to use it with a frontend in a scalable cloud environment I am going to require session stickiness. There are unique ids to players as well as the session that the two opponents play with. How can I ensure session stickiness when I have multiple instances of this microservice running in my cluster ?

Stateful vs non-stateful app

I have been learning about stateful apps vs non-stateful, but I am still a bit confused on this topic.

For example, let’s say I have an app running on Node where users are assigned to random rooms as soon as they connect through socket.io. These are rooms of 4 and not persistent in any way, but they are stored in a global variable as a hash map. I am not using a db (too many queries) nor redis (it’s too expensive).

Is this an example of a stateful app or not?

Strategy to deal with stateful applications in clusters

I have an app in which users are assigned to rooms. These rooms are saved server-side. In the beginning I was using a single instance so the rooms could be saved in-memory.

But now as I want to scale this is not a viable solution. Using databases seems like a very slow option, as the entries are too many and too fast to handle.

I have looked into memcached, but I read that it’s not reliable in a shared cloud environment (if the table is full it starts re-writing values).

How can I handle a situation such as this?

Difference(s) between an ACL and a Layer 4 (Stateful) Firewall

Please can someone explain the primary difference(s) between an ACL and a Layer 4 (Stateful) Firewall? I’m looking for a basic explanation if possible as I want to build my foundation knowledge.

I understand that an ACL (deny/allow) operates on a router/layer 3 switch and that a firewall can aswell, or as a standalone device, but that’s about it!

Thanks!