In this article, we discuss best practices for securing user sessions, including the difference between JWT and Opaque access tokens.
Join the DZone community and get the full member experience. This article will introduce session management, analyze commonly use session flaws, and demonstrate best practices. Part two will take a look at a new open source flow that is secure and easy to integrate into existing systems. Specifically, in part one, we cover Note: Do not confuse session management with OAuth, as the latter is a protocol designed only for the purpose of delegation. Session management, for the purpose of this article, is about how auth tokens are handled, stored, and changed during an active session — whether it be for OAuth flows or for server-client session flows. Disclaimer: This post was authored by SuperTokens – we provide an open source, secure and easy to implement solution for user session management. Session security is an important consideration in the design of any system that requires communication between a server and a client. Improper security can lead to user accounts being vulnerable to unauthorized access. OWASP (Open Web Application Security Project — leading authority for security) considers the improper implementation of authorization/authentication as the second biggest risk to application security. Several notable hacks illustrate this point: It is tricky, time-consuming, and expensive to correctly implement user session management. According to an a16z operating partner (top tier VC) and former Box CSO (Chief Security Officer), “authentication and authorization is the number one spending cost for organizations when it comes to their security budget.” Source This is the tip of the iceberg, but we hope it is enough for anyone to realize that they could be the next Titanic if they do not correct their course. We’ll briefly explore the two predominant types of tokens that are used in session management. Several of the flows we discuss require an understanding of these tokens. While these two token types have different properties, theft of either type can lead to unauthorized access to a user’s account. Auth tokens are stored on the frontend and the backend and are frequently sent over the network (depending on the session flow). As such, they are vulnerable to several types of attacks. While it may seem that these attacks are unlikely, it is important to take session security seriously and deploy appropriate measures. The vulnerability of the system is based on the cumulative probabilities of all the types of attacks. Further on, we discuss how each of these attacks could lead to token theft and we explore best practices to mitigate against these types of attacks. To keep tokens safe, a system architect should not only prevent tokens from being stolen but, as a fail-safe, also ensure that should token theft occur, the system is able to detect it as quickly as possible. Detection is an important concept to consider and will be explored in the next section. Prevention is the first line of defense, and all attempts should be made to minimize theft. However, auth tokens are fundamentally susceptible to theft because they are transmitted to an untrusted party (the app’s frontend). Hence, detection of token theft has an important role to play in the security of the system. Existing detection methods rely largely on heuristic algorithms such as tracking sudden changes in IP addresses and browser (or mobile) fingerprints and flagging “unusual user behavior”. Unfortunately, these methods themselves can be inaccurate, easy to spoof and difficult to implement. However, there is a reliable way to integrate detection of theft in the session management flow and in part 2, we propose a flow that does that. On a related note, in cases where session vulnerabilities are publicly exposed, companies may release statements stating that there was no indication that the vulnerability was exploited. However, what they fail to mention is how extensively their system would be able to detect token theft in the first place! We’ve identified the most commonly used session management flows and classified them into five groups.