The anatomy of a Firebase client-side session

Question

I would love an explanation of how Firebase client-side sessions work. Here is what a token Firebase puts in local storage looks like. What do these values represent and why?

Edit: This explains some things https://www.firebase.com/docs/security/custom-login.html

{ 
  iv: '9TCC9J+eqdgwYfLyg7nwWQ==',
  v: 1,
  iter: 1000,
  ks: 128,
  ts: 64,
  mode: 'ccm',
  adata: '',
  cipher: 'aes',
  salt: '7I8yHru1oBc=',
  ct: 'Z/yBHbOCEND7GW6fuTtT47Sw3nyo7vCb08Zs0CbspXv3JbGCVvtPbED8xsjf2Kx8TUyVKfXSfm8NQPSUVI0UY6R00UrtV8gg60kBwzcLSK6rDEfus4RvQr3eIHmMVLgk42SWJb8Ldxxnr7EeHO8gd3zGL8FivCL+oQE/8EJgm6fjubWhJsSGQ0JImz/wMKsG80UzX0WqaAJWE5BVMpLdgE3s14blT79M+CN4ZI7+NVJxUF1MEV9v/pKmB7OT7iPKXKAr2f1eCpeYfNS70u93TWzocgwiw6SVy7mg3b2U0cCrFS60yJL/5qPyE96E7R7kReNQVmWIt6zJvvJIWpkMn3M9T8SaKn+m57pd0d+NwsHXpqW/Q0fpAydgc9jL1UOAX4igXUUsK4qS5XRiuz3v8qrhw/tBLyk7j+plIMgvEuNpnmLOelbhwp8dgNWDgCNU2E5+kjKR/SVN5nxB5aWcXM9S9gLDS+NIW0/Rrf/RJfCqe46d+a0UO+9Elhp3vcYC+Zjk9lVnMyn+ZnQsnFooGsKO367QP20nQRCDb372jfhqNYi3AK5o/Dgu5oytzmJdB0EQ26WQvqurBiGTGH489PnyaGqUgAd2N5mCGqdoudde/dSJBO48CUic4b98UkdSraBdZxVK7Go3CzJmPX6I6iiI91vi1NZn9wlOvB4Toj+XSFTi7boy+t0W2oRneA5ZVo1ZsY3gRlpzJq+3tUOMOe7RlvsJxHUhFyQ6/KuyYeQXmfmp21fmiXf5hIOkDnfU5qmdTqHmBW9AYXFPi+GohdL9421GemDk1YeK0f2HOjgKw/qkzJ/bT02/ixJdpEZnIf2q7h9OgCwchuvb0bBs0WVRBxsmUMmQMM6DD+tHPHG0fbRVs6e5GsvD78bvZOdDFwU8wAMGrfKPaC4F1WqwfjHNPqkjrTAlfcwcudQRBZ++1l7Jb6rTzHQsEuTkHLRLH0E3wCk9LRX3Gt5fdau1yCZi5XatpyWxdN2QgXkAFPUDrljczu8r/3tEjbzD0DLmFvdTaVHzuarXtBZsS6+piR6b8md+IBv47wZ8fBsGUDXsrY9eFISDdL4CfWWpVIdzdIVUcGiJnCsmK8zUGNHIdezgadANwHrXc6QYiTDAO7eVrTyjcCh2odMUipmjsPkpM5H7D+fqfSIE12X6PuejYX7Yikf0WGvymqSWEFLwpUIO0b87hlmVMYKJphJJGNurT87qWgqFpoaTiXQLZfWL9wm+ZEa5zq2Fo8bO3/PtbFJqBgXgxz/HQOzOQluHWk4hitnLiWVOxoAOLENV1XEG++e355tmdvak/d1xqxfiiyF67dRQKPRsw6wE9HX/9gqPXPI7LLx0IOzY/JcHu+lwiqa872azTyX4f5XsSmTK0GoZCX5ST9fdi2ApM87guA9/IlnmbBzUocqizDYD48wNgQ6vElZY3SFG+/7xz3WyfkxrQi1nqEmPLcTFalC5sdQUxTniNjciuXhCrtjXybnUBKlZBUS76jrIFNF8XZB5uL/Thv3o0aevk3/d+VebmD7r4T+Ui+BfjeHjLIn2/iVvM9WEwk+Zfyg='
}

Answer 1

[Engineer at Firebase] The payload that you're seeing is the encrypted storage blob used to persist session metadata for Firebase Simple Login.

Note that this is not used in Firebase proper, just the Simple Login service (delegated token generation) which is built on top of Custom Login (custom token generation).

Firebase Simple Login includes a useful, built-in feature to persist user sessions for some period of time (configurable up to 30 days). When building this, we wanted to ensure a few different things:

• Once a user is logged in and a session is created, the session should be persisted on the client and can be loaded without a roundtrip to the server, so it can be referenced even when offline.
• Session metadata should be stored in such a way that is secure.
• The underlying tokens and session metadata must be cleared after some period of time, and should be enforced by the browser.

Firebase doesn't force you to use SSL for your application, so storing sensitive data in cookies is out of the question. Browsers allow you to set an expiration on cookies, but not local storage, making a local storage-only solution impractical. Also, storing data in cookies against your domain will cause that data to be sent over the wire on every request, using unnecessary bandwidth.

Consequently, Firebase Simple Login uses a hybrid solution and stores data in both cookies and local storage, leveraging the advantages of each. The data stored in the browser is also encrypted, requiring you to have access to both the local storage payload and the cookie payload (prior to expiration) in order to access session metadata.