cookieless sessions with ajax
Posted
by thezver
on Stack Overflow
See other posts from Stack Overflow
or by thezver
Published on 2010-04-30T00:18:59Z
Indexed on
2010/04/30
0:27 UTC
Read the original article
Hit count: 741
ok, i know you get sick from this subject. me too :(
I've been developing a quite "big application" with PHP & kohana framework past 2 years, somewhat-successfully using my framework's authentication mechanism. but within this time, and as the app grown, many concerning state-preservation issues arisen.
main problems are that cookie-driven sessions:
- can't be used for web-service access ( at least it's really not nice to do so.. )
- in many cases problematic with mobile access
- don't allow multiple simultaneous apps on same browser ( can be resolved by hard trickery, but still.. )
- requires many configurations and mess to work 100% right, and that's without the --browser issues ( disabled cookies, old browsers bugs & vulnerabilities etc )
many other session flaws stated in this old thread : http://lists.nyphp.org/pipermail/talk/2006-December/020358.html
After a really long research, and without any good library/on-hand-solution to feet my needs, i came up with a custom solution to majority of those problems .
Basically, i'ts about emulating sessions with ajax calls, with additional security/performance measures:
- state preserved by interchanging SID(+hash) with client on ajax calls.
- state data saved in memcache(or equivalent), indexed by SID
security achieved by:
- appending unpredictible hash to SID
- egenerating hash on each request & validating it
- validating fingerprint of client on each request ( referrer,os,browser etc)
(*)condition: ajax calls are not simultaneous, to prevent race-condition with session token. (hopefully Ext-Direct solves that for me)
From the first glance that supposed to be not-less-secure than equivalent cookie-driven implementation, and at the same time it's simple, maintainable, and resolves all the cookies flaws.. But i'm really concerned because i often hear the rule "don't try to implement custom security solutions".
I will really appreciate any serious feedback about my method, and any alternatives.
also, any tip about how to preserve state on page-refresh without cookies would be great :) but thats small technical prob.
Sorry if i overlooked some similar post.. there are billions of them about sessions .
Big thanks in advance ( and for reading until here ! ).
© Stack Overflow or respective owner