Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Managing session in REST application after authentication with OpenID

I am building an RESTful application. I plan to use OpenID for user authentication. Currently, I am using LightOpenID for OpenID authentication and I am able to authenticate my users.

My question is what next? after authentication!

  1. Since, its a REST application, I will have to use Cookies for session management.. right?
  2. What values do I store in Cookies?
  3. How do I validate the session and user logout?

I did search for examples with regard to implementation but all examples stop at authentication and do not talk about session management! I would like to know how you manage the sessions in your applications and if possible best practices and concerns in implementing an approach.

If you are aware of any reference implementations please provide me the link.

like image 322
Abdel Raoof Olakara Avatar asked Feb 01 '11 06:02

Abdel Raoof Olakara


People also ask

How you maintain sessions in RESTful services?

RESTful API endpoints should always maintain a stateless session state, meaning everything about the session must be held at the client. Each request from the client must contain all the necessary information for the server to understand the request.

How is the API session managed?

The session management API works with sessions stored in persistent storage and across clustered nodes. For this API, the runtime APIs audit log only records session revoke events. Important: OAuth clients must authenticate to the API using their configured client authentication method.

Can we use session in REST API?

Each REST API call by a client is associated with a web service session. A session is created when client calls Login API and stays active until it times out or is logged out. When the session is created, a session ID that looks like a GUID is generated and assigned to it by the server.


1 Answers

Important:

First some important security advices you should keep in mind:

  • You should also read about http-only cookies and how to configure them properly using PHP.

    • You should be wary of session_fixation and protect yourself against it using session_regenerate_id. I also find there are some interesting countermeasures at the wikipedia of session fixation.

Your questions:

Since, its a REST application, I will have to use Cookies for session management.. right?

using sessions would be safest(best), but of course there are a lot more solutions to session management. But if you use cookies only(no php $_SESSION) then you should of course encrypt your cookie. But I would advice you to just use $_SESSION.

What values do I store in Cookies?

You don't store anything in the cookies. $_SESSION creates the cookie(automatically => you don't have to think about it) for you which is unique. Everything you put into $_SESSION is stored on the server so the user can not read this. You could store whatever information you like to store in the session, but keep in mind that it is best to NEVER store sensitive data(pin numbers, creditcard, passwords, etc) in your application is possible. I have already mentoined that your $_SESSION is stored on the server, but the cookie which has an unique identifier to match with the session stored on disc(or database) could be guessed(spoofed).

How do I validate the session?

You validate session by inspecting the information stored inside the session. I assume you store at least $_SESSION['id'] = $openid->identity; inside your session. Keep in mind that after the user logs in to your website using openid you should regenerate your session(id) to prevent session fixation.

How do I logout a user?

you just call session_destroy and all the data stored inside the session will be deleted.


I hope this explained all your questions.

PS:

A session in the cookie jar gives you a basic introduction to sessions(although I don't see it mention session fixation :$).

like image 87
Alfred Avatar answered Sep 20 '22 09:09

Alfred