cookieless sessions with ajax

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by thezver on Stack Overflow See other posts from Stack Overflow or by thezver
Published on 2010-04-30T00:18:59Z Indexed on 2010/04/30 0:27 UTC
Read the original article Hit count: 736

Filed under:
|
|
|
|

ok, i know you get sick from this subject. me too :(

I've been developing a quite "big application" with PHP & kohana framework past 2 years, somewhat-successfully using my framework's authentication mechanism. but within this time, and as the app grown, many concerning state-preservation issues arisen.

main problems are that cookie-driven sessions:

  • can't be used for web-service access ( at least it's really not nice to do so.. )
  • in many cases problematic with mobile access
  • don't allow multiple simultaneous apps on same browser ( can be resolved by hard trickery, but still.. )
  • requires many configurations and mess to work 100% right, and that's without the --browser issues ( disabled cookies, old browsers bugs & vulnerabilities etc )

many other session flaws stated in this old thread : http://lists.nyphp.org/pipermail/talk/2006-December/020358.html

After a really long research, and without any good library/on-hand-solution to feet my needs, i came up with a custom solution to majority of those problems .

Basically, i'ts about emulating sessions with ajax calls, with additional security/performance measures:

  • state preserved by interchanging SID(+hash) with client on ajax calls.
  • state data saved in memcache(or equivalent), indexed by SID

  • security achieved by:

    • appending unpredictible hash to SID
    • egenerating hash on each request & validating it
    • validating fingerprint of client on each request ( referrer,os,browser etc)

(*)condition: ajax calls are not simultaneous, to prevent race-condition with session token. (hopefully Ext-Direct solves that for me)

From the first glance that supposed to be not-less-secure than equivalent cookie-driven implementation, and at the same time it's simple, maintainable, and resolves all the cookies flaws.. But i'm really concerned because i often hear the rule "don't try to implement custom security solutions".

I will really appreciate any serious feedback about my method, and any alternatives.

  • also, any tip about how to preserve state on page-refresh without cookies would be great :) but thats small technical prob.

  • Sorry if i overlooked some similar post.. there are billions of them about sessions .

Big thanks in advance ( and for reading until here ! ).

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about php

Related posts about security

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle