I am building an RESTful application. I plan to use OpenID for user authentication. Currently, I am using LightOpenID for OpenID authentication and I am able to authenticate my users.
My question is what next? after authentication!
I did search for examples with regard to implementation but all examples stop at authentication and do not talk about session management! I would like to know how you manage the sessions in your applications and if possible best practices and concerns in implementing an approach.
If you are aware of any reference implementations please provide me the link.
RESTful API endpoints should always maintain a stateless session state, meaning everything about the session must be held at the client. Each request from the client must contain all the necessary information for the server to understand the request.
The session management API works with sessions stored in persistent storage and across clustered nodes. For this API, the runtime APIs audit log only records session revoke events. Important: OAuth clients must authenticate to the API using their configured client authentication method.
Each REST API call by a client is associated with a web service session. A session is created when client calls Login API and stays active until it times out or is logged out. When the session is created, a session ID that looks like a GUID is generated and assigned to it by the server.
First some important security advices you should keep in mind:
You should also read about http-only cookies and how to configure them properly using PHP.
Since, its a REST application, I will have to use Cookies for session management.. right?
using sessions would be safest(best), but of course there are a lot more solutions to session management. But if you use cookies only(no php $_SESSION
) then you should of course encrypt your cookie. But I would advice you to just use $_SESSION.
What values do I store in Cookies?
You don't store anything in the cookies. $_SESSION
creates the cookie(automatically => you don't have to think about it) for you which is unique. Everything you put into $_SESSION
is stored on the server so the user can not read this. You could store whatever information you like to store in the session, but keep in mind that it is best to NEVER store sensitive data(pin numbers, creditcard, passwords, etc) in your application is possible. I have already mentoined that your $_SESSION is stored on the server, but the cookie which has an unique identifier to match with the session stored on disc(or database) could be guessed(spoofed).
How do I validate the session?
You validate session by inspecting the information stored inside the session. I assume you store at least $_SESSION['id'] = $openid->identity;
inside your session. Keep in mind that after the user logs in to your website using openid you should regenerate your session(id) to prevent session fixation.
How do I logout a user?
you just call session_destroy and all the data stored inside the session will be deleted.
I hope this explained all your questions.
A session in the cookie jar gives you a basic introduction to sessions(although I don't see it mention session fixation :$).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With