cookieless sessions with ajax
- by thezver
ok, i know you get sick from this subject. me too :(
I've been developing a quite "big application" with PHP & kohana framework past 2 years, somewhat-successfully using my framework's authentication mechanism. but within this time, and as the app grown, many concerning state-preservation issues arisen.
main problems are that cookie-driven sessions:
can't be used for web-service access ( at least it's really not nice to do so.. )
in many cases problematic with mobile access
don't allow multiple simultaneous apps on same browser ( can be resolved by hard trickery, but still.. )
requires many configurations and mess to work 100% right, and that's without the --browser issues ( disabled cookies, old browsers bugs & vulnerabilities etc )
many other session flaws stated in this old thread : http://lists.nyphp.org/pipermail/talk/2006-December/020358.html
After a really long research, and without any good library/on-hand-solution to feet my needs, i came up with a custom solution to majority of those problems .
Basically, i'ts about emulating sessions with ajax calls, with additional security/performance measures:
state preserved by interchanging SID(+hash) with client on ajax calls.
state data saved in memcache(or equivalent), indexed by SID
security achieved by:
appending unpredictible hash to SID
egenerating hash on each request & validating it
validating fingerprint of client on each request ( referrer,os,browser etc)
(*)condition: ajax calls are not simultaneous, to prevent race-condition with session token. (hopefully Ext-Direct solves that for me)
From the first glance that supposed to be not-less-secure than equivalent cookie-driven implementation, and at the same time it's simple, maintainable, and resolves all the cookies flaws..
But i'm really concerned because i often hear the rule "don't try to implement custom security solutions".
I will really appreciate any serious feedback about my method, and any alternatives.
also, any tip about how to preserve state on page-refresh without cookies would be great :) but thats small technical prob.
Sorry if i overlooked some similar post.. there are billions of them about sessions .
Big thanks in advance ( and for reading until here ! ).