Remember-me Authentication Tokens on the Browser
24 views
Skip to first unread message
Emile Cormier
Jul 9, 2019, 12:03:22 PM7/9/19
to WAMP
What is the best way to store a "remember me" authentication token on a browser accessing a WAMP-based web app? Has this use case ever been considered?
I could make my backend generate a random token string associated with an expiry time, and have the browser store it in localStorage, but I am concerned about XSS vulnerabilities.
Any feedback would be appreciated.
Cheers,
Emile Cormier
Tobias Oberstein
Jul 9, 2019, 12:28:57 PM7/9/19
to wam...@googlegroups.com, Emile Cormier
Hi Emile,
we are using authmethods=[cookie, cryptosign] or authmethods=[cookie,
wamp-cra].
when no valid cookie is sent, crossbar will fall back to the 2nd
authmethod (eg cryptosign or wamp-cra or whatever is specified), and
upon successful authentication, store the resulting auth credentials in
its built-in cookie DB and set a cookie on the client.
next time the client comes around and presents that (now valid ==
authenticated) cookie, crossbar will immediately use those stored
credentials.
there are also knobs to timeout cookies etc
does that help?
cheers,
/Tobias
Am 09.07.19 um 18:03 schrieb Emile Cormier:
> --
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wampws+un...@googlegroups.com
> <mailto:wampws+un...@googlegroups.com>.
> To post to this group, send email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
we are using authmethods=[cookie, cryptosign] or authmethods=[cookie,
wamp-cra].
when no valid cookie is sent, crossbar will fall back to the 2nd
authmethod (eg cryptosign or wamp-cra or whatever is specified), and
upon successful authentication, store the resulting auth credentials in
its built-in cookie DB and set a cookie on the client.
next time the client comes around and presents that (now valid ==
authenticated) cookie, crossbar will immediately use those stored
credentials.
there are also knobs to timeout cookies etc
does that help?
cheers,
/Tobias
Am 09.07.19 um 18:03 schrieb Emile Cormier:
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wampws+un...@googlegroups.com
> <mailto:wampws+un...@googlegroups.com>.
> To post to this group, send email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Emile Cormier
Jul 9, 2019, 12:40:52 PM7/9/19
to WAMP
Thanks Tobias. Is the cookie HttpOnly and SameSite? Will [cookie, ticket] work with dynamic authentication?
> an email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
Tobias Oberstein
Jul 9, 2019, 1:01:43 PM7/9/19
to wam...@googlegroups.com, Emile Cormier
Am 09.07.19 um 18:40 schrieb Emile Cormier:
* it will only work on WAMP over websocket, not rawsocket (because that
transport doesn't have a cookie concept)
* rgd the additional headers you mention:
https://github.com/crossbario/crossbar/issues/1511
> > an email to wam...@googlegroups.com <javascript:>
> > <mailto:wam...@googlegroups.com <javascript:>>.
> > <mailto:wam...@googlegroups.com <javascript:>>.
> <mailto:wampws+un...@googlegroups.com>.
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> Thanks Tobias. Is the cookie HttpOnly and SameSite? Will [cookie,
> ticket] work with dynamic authentication?
* [cookie, xyz] will work for _any_ xyz authmethod
> ticket] work with dynamic authentication?
* it will only work on WAMP over websocket, not rawsocket (because that
transport doesn't have a cookie concept)
* rgd the additional headers you mention:
https://github.com/crossbario/crossbar/issues/1511
> > <mailto:wam...@googlegroups.com <javascript:>>.
> > To post to this group, send email to wam...@googlegroups.com
> <javascript:>
> > <mailto:wam...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/wampws
> <https://groups.google.com/group/wampws>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/wampws/a4673be2-17df-41e5-8abb-06eb914ecaaf%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> > For more options, visit https://groups.google.com/d/optout
>
> --
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wampws+un...@googlegroups.com
> --
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:wampws+un...@googlegroups.com>.
> To post to this group, send email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer>.
Emile Cormier
Jul 9, 2019, 2:15:41 PM7/9/19
to WAMP
Thanks. +1 for us on implementing #217.
I don't know if it's technically possible, but supporting/emulating [cookie] authentication for rawsocket transports would make automated testing easier. Our test suite currently uses rawsocket connections to exercise the app's API.
I don't know if it's technically possible, but supporting/emulating [cookie] authentication for rawsocket transports would make automated testing easier. Our test suite currently uses rawsocket connections to exercise the app's API.
> an email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
Tobias Oberstein
Jul 10, 2019, 3:59:52 AM7/10/19
to wam...@googlegroups.com, Emile Cormier
Am 09.07.19 um 20:15 schrieb Emile Cormier:
the crossbar issue to add those HTTP headers is #1511 ..
>
> I don't know if it's technically possible, but supporting/emulating
rawsocket does not have a cookie mechanism, and I'd be -1 on adding it,
because:
while it would of course be technically possible, that would make
rawsocket more complex. we introduced rawsocket exactly to be simple.
so: if you need cookies, use websocket .. my view
> https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> <mailto:wampws+un...@googlegroups.com>.
> <https://groups.google.com/d/msgid/wampws/546771a3-c0fc-4d3b-b08c-598e00f907de%40googlegroups.com?utm_medium=email&utm_source=footer>.
> Thanks. +1 for us on implementing #217.
issue #217? what issue do you refer?
the crossbar issue to add those HTTP headers is #1511 ..
>
> I don't know if it's technically possible, but supporting/emulating
because:
while it would of course be technically possible, that would make
rawsocket more complex. we introduced rawsocket exactly to be simple.
so: if you need cookies, use websocket .. my view
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/wampws/57a5b636-224e-4c1c-bfaf-187e6f4da96d%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wampws+un...@googlegroups.com
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "WAMP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:wampws+un...@googlegroups.com>.
> To post to this group, send email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wampws/546771a3-c0fc-4d3b-b08c-598e00f907de%40googlegroups.com
> <mailto:wam...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/wampws.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/wampws/546771a3-c0fc-4d3b-b08c-598e00f907de%40googlegroups.com?utm_medium=email&utm_source=footer>.
Emile Cormier
Jul 10, 2019, 10:18:55 AM7/10/19
to WAMP
Yes, sorry, I meant #1511. :-)
> an email to wam...@googlegroups.com
> <mailto:wam...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages