tags:

views:

75

answers:

6
+2  Q: 

Is a Session-Less Design feasible?

Just brainstorming some ideas for a Web App I'm building soon.

One of the cornerstones of the Web is Session Handling: Have the user log in, send a cookie with magic binary encoded pixie dust, trust the user blindly afterwards.

I just wonder if it's feasible to completely eliminate 'traditional' sessions for a web app that would normally use it, e.g. an online store.

The idea would be to have a 'server side session' that doesn't use the SessionID or anything, but the username instead. So there is exactly 1 session per user, not more. That would allow stuff like a persistent shopping cart to work.

Authentication would be handled similar to how Web Services work: Expect HTTP Digest authentication on every single page view.

Ignoring the fact that anonymous visitors would have to be handled differently, do you think this approach would be feasible? Or would the additional traffic/load for constant authentication be a deal-breaker in the long run?

A: 

REST-like implementations such ASP.NET MVC do not require session state at all.

Robert Harvey  2010-10-26 17:52:10
A: 

Why reinvent the wheel? Sessions exist and work, making your own will expose you to umpteen vulnerabilities which existing frameworks/libraries discovered and covered.

What are you thinking to gain by using the username?

Konerak  2010-10-26 17:52:41
The underlying idea is to eliminate session hijacking. HTTPS is one option, I'm looking at other possible ideas and whether they are good or bad.
Michael Stum  2010-10-26 18:07:41
@Michael Stum ~ Because you're trying to protect what exactly? My point is how malicious do you expect the users to be? If you can't trust them, don't write the app.
drachenstern  2010-10-26 18:17:09
A: 

You should just use sessions. Even if its your own session implementation: eg. cookie contains random key used to store information the server. A cookie must be used or you will have to encode all links on the site with a query parameter that specifies the key -- bad idea!

I would then store the "session key", or what every you want to call it, with the persons username in the database.

When a user logs in to your site simply restore their previous "session".

Other then the query parameter option, which is a bad idea, you can track users by IP address. But this again is a horrible idea! Eg. many buildings have a limited number of Internet IPs and many times more internal computers.

There is no good way to track a user without using cookies.

Yes maybe you can use HTTP authentication but why bother? You are just going to introduce new issues and put limitations on your UI.

Plaudit Design - Web Design  2010-10-26 18:00:45
I wouldn't have to encode any links as there is exactly one session per user, and I know who the user is because they have to authenticate for each request - so I have a 'good' key already.
Michael Stum  2010-10-26 18:06:55
If you don't use cookies though won't you have to expect the http authentication to always be sent with every request so you know the person is? I haven't tried this before. You will want all requests to go through a secure connection. Can't use http since, I believe, http authentication is sent in plain-text on every request. Additionally you can't provide a way to logout.
Plaudit Design - Web Design  2010-10-28 20:13:20
A: 

First off, we don't use sessions at all.

We found that utilizing session complicated the code without any benefit. There are only two reasons to even consider using session state. The first is to reduce the amount of traffic to your sql server.. However, with load balanced web servers etc, session has to be stored in a sql server... Which kind of eliminates it's first point. But it's worse than that as the session has to be retrieved, deserialized, serialized, and stored on every single page load.

The second reason is to keep from having the browser pass the user id back to the application on each request. However, "session hijacking" is a fairly easy trick to pull off and is rarely taken into account.

So, instead, we use a highly encrypted cookie with non-guessable values that indicate exactly who the user is. We've coupled this with a changing, non-guessable, request id and have eliminated both session state (and it's unnecessary overhead) while at the same time improving security all around.

Can the cookie be stolen? Sure, but it has a very limited life that is the amount of time between two postbacks. Which means it will be found to have been compromised rather quickly.

So, I wouldn't say sessions are a "corner stone" of the web. Rather I'd say they are crutches that are often used improperly and should be avoided for both security and performance reasons.

All of that said, the only way you are going to tie this to a user id is if you force your users to login/create account prior to shopping.. Which no one is going to do unless they have no other choice but to be on your site.

Oh, and don't take my word for it:

4GuysFromRolla.com -> Session variables are evil.
aps.net -> Are session variables still evil?
Scott Hansleman -> Moving Viewstate to Session Pay attention to the part in bold covering memory consumption and it's ability to stay around for way too long.
Coding Horror -> Your Session has timed out This details just some of the problems associated with even using session
Wikipedia -> Session Hijacking What list would be complete without a link to wikipedia?

Chris Lively  2010-10-26 18:16:53
So, if someone is using your site, and the latest encrypted key is "1234", then goes away for a few hours, when they come back, will that key still be valid? If so, then how are you not just as exposed as a standard .Net session other than changing it every request? Regardless, there is a key that can be taken from 1 machine to another and activity will resume as normal, right? I understand that if the original user continues to use the site, you'll know that someone is trying to hack you, and this "security hole" has been minimized, but it still exists, right?
Matt  2010-10-26 22:06:49
@Matt: First we tell the cookies to expire after a very small time period. Second, we have an encrypted last seen at value inside the cookie that we test on ourselves. This allows us to force the cookie expiration in the event it's replayed. Of course, if they steal the last one then they could replay it up to a few minutes later. However, this would take have to be a highly targeted attack for it to work.
Chris Lively  2010-10-26 22:30:36
I see. How do you deal with expired cookies then? I'm thinking along the lines of someone leaving their computer while in the middle of a task, coming back, and then their cookie has expired and so their work would be lost. Of course, your site requirements might render that question moot. I don't know anything about your site/biz requirements. Just curious.
Matt  2010-10-27 18:24:00
@Matt: Our site works on fairly atomic operations, meaning the amount of possible work lost due to expiration is very small. This is tempered by the sensitivity of the data in question. For us it's better to kick them out and have them log back in than to leave the window open.
Chris Lively  2010-10-27 18:32:59
Fair enough -- thanks Chris! It's nice to get a good understanding of technique like yours, and also the limitations, so that I can know if and when to use it. Thanks for your time and explanations.
Matt  2010-10-27 19:38:48
"We've coupled this with a changing, non-guessable, request id" - what happens if the user opens a second window? How do you create a user id? You are just using the user id as the session identifier and created lots of headaches for yourselves and your users.
symcbean  2010-10-29 11:52:22
@symcbean: In our case, the security needs outweigh any perceived need to open multiple windows.
Chris Lively  2010-10-29 14:32:04
A: 

That actually is pretty much what a traditional session does -- provide a unique identifier to distinguish a browser "session", all you are doing is tying it to username rather then a random variable.

I would say just be very careful of how you generate your token, if it is reproducible you could easily accomplishes the goal of a session fixation attack by generating someone elses session and jamming it into a cookie. That is the reason that sessions are usually a random unique value.

Matt Briggs  2010-10-26 18:35:09
The idea is to not have a token. Nothing that gets sent to the client - no cookie, no fancy URL, nothing at all. Instead, HTTP Authentication for every request.
Michael Stum  2010-10-26 19:01:04
HTTP Authentication sends its own stuff on every request. You just don't mess with it, the server and client do.
Matt  2010-10-26 21:58:08
A: 

The idea would be to have a 'server side session' that doesn't use the SessionID or anything, but the username instead. So there is exactly 1 session per user, not more. That would allow stuff like a persistent shopping cart to work.

That's just a session, but using the username as the session identifier - which is going to cause all sorts of problems - its open to replay attacks even if you encrypt it. You can't change the encrpytion per-request because that will break when the user opens a second window or presses the back button.

You can't rely on the client address - multiple users may share a NAT address, the same user may access your site from behind a cluster of load-balanced proxies.

like a persistent shopping cart

...implies that you have server-side data for the customer - since the size of this data will vary, you can't store it in the URL nor in a cookie.

Expect HTTP Digest authentication on every single page view.

That presupposes that you create accounts for every user, and that you're not concerned about the impact of the same user id being used by different clients. I don't think that this would require significantly more processing than a conventional session - but its still web-based session management with a different set of problems and vulnerabilities compared to the conventional approach.

symcbean  2010-10-29 12:18:00

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.