cookieless sessions with ajax

Posted by thezver on Stack Overflow See other posts from Stack Overflow or by thezver
Published on 2010-04-30T00:18:59Z Indexed on 2010/04/30 0:27 UTC
Read the original article Hit count: 741

Filed under:
|
|
|
|

ok, i know you get sick from this subject. me too :(

I've been developing a quite "big application" with PHP & kohana framework past 2 years, somewhat-successfully using my framework's authentication mechanism. but within this time, and as the app grown, many concerning state-preservation issues arisen.

main problems are that cookie-driven sessions:

  • can't be used for web-service access ( at least it's really not nice to do so.. )
  • in many cases problematic with mobile access
  • don't allow multiple simultaneous apps on same browser ( can be resolved by hard trickery, but still.. )
  • requires many configurations and mess to work 100% right, and that's without the --browser issues ( disabled cookies, old browsers bugs & vulnerabilities etc )

many other session flaws stated in this old thread : http://lists.nyphp.org/pipermail/talk/2006-December/020358.html

After a really long research, and without any good library/on-hand-solution to feet my needs, i came up with a custom solution to majority of those problems .

Basically, i'ts about emulating sessions with ajax calls, with additional security/performance measures:

  • state preserved by interchanging SID(+hash) with client on ajax calls.
  • state data saved in memcache(or equivalent), indexed by SID
  • security achieved by:

    • appending unpredictible hash to SID
    • egenerating hash on each request & validating it
    • validating fingerprint of client on each request ( referrer,os,browser etc)

(*)condition: ajax calls are not simultaneous, to prevent race-condition with session token. (hopefully Ext-Direct solves that for me)

From the first glance that supposed to be not-less-secure than equivalent cookie-driven implementation, and at the same time it's simple, maintainable, and resolves all the cookies flaws.. But i'm really concerned because i often hear the rule "don't try to implement custom security solutions".

I will really appreciate any serious feedback about my method, and any alternatives.

  • also, any tip about how to preserve state on page-refresh without cookies would be great :) but thats small technical prob.

  • Sorry if i overlooked some similar post.. there are billions of them about sessions .

Big thanks in advance ( and for reading until here ! ).

© Stack Overflow or respective owner

Related posts about php

Related posts about security