How to store Session ID securely - McMap

About

How to store Session ID securely

Asked 8/7, 2017 at 5:42 Answered 8/7, 2017 at 5:51

cryptography sessionid

V

1

4

I am a student learning about cryptography. After searching online, I am still unable to find an answer to my question. I am wondering how to store a session ID securely for an ecommerce website. If it is possible, how so? Please do explain it in Layman's term. Looking forward to your helpful answers.

Cheers

Veer answered 8/7, 2017 at 5:42 Comment(0)

C

6

Session IDs are usually just a random (opaque) identifier that is passed between the client and the server. The server uses the identifier to look up state information (e.g. current cart content) in the database.

As a practical matter, you have to trust that the client will protect the session id, as once you send it to them, it becomes a static token -- no amount of cryptography can fix the fact that anyone can present a session id and then pretend to be the user.

There are some things that you can do to mitigate issues:

ensure you are using a "secure enough" random generator to build the token
make sure the transmission of the token is as secure as possible against eavesdropping or client-side theft (e.g. use SSL, httponly and secure cookie flags)
Give the token a reasonable timeout, and require the user to request a new token periodically using e.g. a refresh token or re-login.

A lot of thought has gone in to how this can work practically - have a look at the OAuth2 / OpenID Connect protocols.

Craps answered 8/7, 2017 at 5:51 Comment(4)

Your answer mostly explains how to generate, transmit and expire session id's, but it does not explain how to store them. e.g. half of the internet says that cookies are deprecated, the other half says that web storage is insecure. What is your opinion about this ? – Dinka 9/3, 2019 at 14:28

Not sure where you get your information. Cookies are necessary for all modern web applications. – Craps 14/6, 2019 at 23:25

MDN takes a neutral point in this discussion: developer.mozilla.org/en-US/docs/Web/HTTP/Cookies , You may want to read, starting from "Cookies were once used ...". As I said, a peaceful opinion. But then there are those who have strong opinions, and claim that only cookies are secure: dev.to/rdegges/please-stop-using-local-storage-1i04 But once you start reading the comments section, you will see that pretty much all reasons in favor of cookies get minimized, making cookies just as unsafe. - You could summarize it as: "Cookies were once used <full stop>". – Dinka 15/6, 2019 at 14:33

Local storage is not cookies. Please find me an ecommerce, gaming, or other interactive website that does not use cookies. I'd be impressed. – Craps 15/6, 2019 at 16:10

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.