Sysadmin by day, developer by night
Http sessions in an ideal world

First, please excuse any typos or weird formatting. Writing this post on my Android while waiting on my car to be serviced. Been here 4 hours so far, doing this also to kill boredom.

This is a post I have been wanting to do for a while. I have now written 2 sessions libraries. Gaeutilities and asyncmongo sessions. So I feel I have a pretty good grasp of the issues.

With both libraries I introduced some security concepts that affect performance. The main security issue with http sessions is unless you are using ssl it’s too simple to sniff and replay data to hijacking a users session.

My implementation both times to address this has basically been a kludge. I constantly change the token stored as a cookie in the browser to make hijacking more difficult. I also suggest people implementing the library always tie the user account to an active session.

In an ideal all this token rotation would not be necessary. With HTTP 1.1 we can keep a persistent connection open. What would be nice is if we could start using that connection as a session and also have a way to recover if that connection is lost and reestablished.

We would also need a way for load balancers to interact with backends to manage that session id. That way the lb could manage the session itself. There already exist headers for proxies to pass client up information, persistent connection sessions could key off of that.

Cookies would still be useful. Sessions are really only necessary when identity must be confirmed.

Sessions are a problem that have been solved a lot of ways by a lot of frameworks. However as we move to browsers and http servers ( or at least proxies ) supporting persistent connections I think it can be done in a way that provides more security.

This is probably a little vague. I may see if I can a hack a model together that demonstrates the concepts. The main question is how to handle the connection being lost and not losing identity when the client reconnects. I don’t think moving to requiring a constant connection only is the right answer, that feels like a step backwards as well.

Posted 3 months ago
Comments (View)
blog comments powered by Disqus
Technorati Profile