
Modeling your App's User Session - hackhackhack
https://github.com/blog/1661-modeling-your-app-s-user-session
======
chrisrhoden
While it is possible to do so, the information and code provided here does
absolutely _nothing_ to prevent replay attacks.

The ability to revoke sessions is nice, and somewhat related, but it's not the
same as preventing replay attacks.

Aside from providing visibility into active sessions, the only other reason I
can imagine this being better than signed cookies is if you didn't trust your
signing algorithm and wanted to prevent someone from changing parts of your
session cookie while retaining a valid signature. As far as I know, the
signatures used by Rails and Django have not been called into question.

~~~
simonw
How would you prevent replay attacks by someone who manages to get hold of a
session cookie?

~~~
jeffasinger
One technique is to hold other information along with the session cookie, such
as the client IP.

This isn't perfect, because there will be false positives that log people out
fairly often, but it would make session hijacking significantly harder.

~~~
simonw
I use a laptop and carry it between work and home, occasionally signing in to
a VPN. My IP address changes several times a day.

~~~
woadwarrior01
Add a hash of the userAgent in the session. How about adding some shared
secret in the browser's localStorage?

------
ollysb
I really like this. The session holds a lot of information about how your
users are using your app. You can get the same information with analytics etc.
but having it available in the DOM is really nice.

------
jafaku
Is this supposed to be a novel idea? I don't understand why Github is showing
how to do such basic stuff, or why it is being upvoted.

~~~
simonw
I've been developing web applications for 15 years and I've lost count of how
many times I've built some form of sessions. I learnt some neat tricks from
this article (mixing signed cookie sessions for logged out users with database
backed sessions for signed in, having a revoked_at field) that I hadn't used
before. Definitely worth an up vote.

------
vadivlkumar
What the crap?

~~~
Zikes
Care to elaborate?

~~~
vadivlkumar
It was purely an accident. Haven't even read the article. I am worth to be
punished.

