EzDevInfo.com

How to empty/destroy a session in rails?

I can't seem to find it anywhere... How do I delete/destroy/reset/empty/clear a user's session in Rails? Not just one value but the whole thing..

In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

Both Session.Clear() and Session.Abandon() get rid of session variables. As I understand it, Abandon() ends the current session, and causes a new session to be created thus causing the End and Start events to fire.

It seems preferable to call Abandon() in most cases, such as logging a user out. Are there scenarios where I'd use Clear() instead? Is there much of a performance difference?

ASP.NET: Session.SessionID changes between requests

Why does the property SessionID on the Session-object in an ASP.NET-page change between requests?

I have a page like this:

...
<div>
    SessionID: <%= SessionID %>
</div>
...

And the output keeps changing every time I hit F5, independent of browser.

I've seen this work correctly in other projects.

PHP Pass variable to next page

It seems pretty simple but I can't find a good way to do it.

Say in the first page I create a variable

$myVariable = "Some text";

And the form's action for that page is "Page2.php". So in Page2.php, how can I have access to that variable? I know I can do it with sessions but I think it's too much for a simple string, and I do only need to pass a simple string (a file name).

How can I achieve this?

What is the best way to prevent session hijacking?

Specifically this is regarding when using a client session cookie to identify a session on the server.

Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie?

And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie?

If a malicious user has physical access to a machine, they can still look at the filesystem to retrieve a valid session cookie and use that to hijack a session?

How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

How to save a session in Vim

Depending on my task in Vim I have several tabs open.

How can I save different sessions for later use?

How to do authentication with a REST API right? (Browser + Native clients) [closed]

I'm building a web application using Rails. At the moment I'm using Devise with HTTP sessions which was pretty easy to set up and it's working well.

The application consists of one URL providing an AJAX web application. The rest of the URLs available belong to the REST API. So everything and every little data request is done via AJAX.

Now I'd like to extend the whole thing to support native clients. I read a lot about stateless auth, http basic and digest auth, http sessions, cookies, xsrf, etc... And now I feel like I can't have a secure app, because there's always a way to hijack some parts of it.

1.: HTTP session Vs. stateless auth token

What's the difference? I don't get it.

• HTTP session:

  1. Client requests a URL (first request to the server)
  2. Server gives the normal response plus some unique string (== session ID)
  3. Client has to send this string with every request (which is done automatically using HTTP header)
  4. Client logs in -> Server memorizes that this particular session ID is now logged in
  5. Client visits a page which requires auth -> Nothing special to do, because the session ID will automatically get sent to the server via HTTP header

• stateless auth token:

  1. Client request URL (first request to the server)
  2. Server just gives the normal response without any key or token or id
  3. (nothing special here)
  4. Client logs in -> Server creates an auth token and sends this token to the client inside the response
  5. Client visits page which requires auth -> Client has to submit the auth token

For me both ways look pretty similar. With Rails I can also choose to store the session inside the database... Devise would do the same with the stateless auth token.

2.: The authentication method

Right now I'm using POST /users/sign_in with {"user":{"email":"e@mail.com","password":"p455w0rd"}}.

But there are other possibilities like HTTP basic auth and HTTP digest auth, but also solutions like oAuth (too big for my purpose).

From what I've read:

• Concerning sign_in security there's no difference between the current POST /users/sign_in and HTTP basic auth. Both use cleartext.
• For sign_out HTTP basic auth has a disadvantage: Sign out is only possible closing the browser window
• HTTP digest auth has a huge advantage: It doesn't transmit the password at all (just a hash of password plus random generated string)
• (German) Wikipedia says: HTTP digest auth is not supported by all browsers. Maybe this information is way to old?!

What I need:

• usernames and hashed passwords (bcrypt) stored in a database.
• user can change his password and the password has not to be sent in plaintext. (The same problem occurs when it comes to user sign_up). Possible solutions?
  1. of course: using SSL/TLS
  2. client request a want_to_change_password_salt and uses it to encrypt the password on client side. but (?!) this way I'd sent an essential part of the hashed password over the wire plus the hashed password. Sounds insecure to me?!

3.: CSRF Token

As said above, right now I have just a normal AJAX website using the REST API. It has XSRF protection: The website gets delivered by rails and thus has embedded the XSRF token. I read it using AJAX and transmit it when doing a POST. Rails then returns the requested data and a new XSRF token, which I then use for the next POST.

Now I want to change my server application to work with native clients. A native client won't load the HTML page and thus won't retrieve a CSRF token. So the following options came to my mind:

• Create a XSRF token REST resource. So the (native) client has to request a XSRF token from this resource before it can do the first POST.
• Disable XSRF protection entirely.

Questions:

• How does XSRF protection work (in Rails)? How does the server know which token belongs to which client? The only way I can think of are sessions. This assumption leads to:
• If I disable session in order to create a fully stateless REST API, XSRF protection won't work anymore. Right?

4.: Stateless auth token

Here I have mostly a lot of questions:

• Does it have the same security problems as HTTP sessions? What I mean: Stealing the session ID has the same effect as stealing the auth token. Right?
• Expiration of the auth token should work the same as with HTTP sessions: The server has to store somewhere (database respectively session) a timestamp and check that.
• sign_out works the same, too?
  • Session: Destroy session on the server
  • Auth token: Destroy the token on the server
• From what I've read it should be more secure to store the auth token inside the HTTP header (just like session ID), because server logs can contain GET parameters and thus could contain the token.
• Should it just be a plain auth token or would it be better if the client also transmits its user_id or even the hashed password? HERE I read that the client should send:
  1. user_id
  2. expiration_date
  3. a hash (or what's HMAC?) of [user_id, expiration_date, SECRET_KEY]. Where SECRET_KEY is basically a random string generated by the server.

Sorry for the huuuge post, but security is essential! And I don't want to make design mistakes which could probably expose private data.

Thank you :)

Here's a bit of new information and new questions ;-):

5.: Native Clients

As far as native clients are concerned, there's no (easy) way to use sessions:

• A native client is no browser

• Thus it won't easily handle cookies (and without cookies there's no typical session handling)

So there are 3 possible choices:

1. Implement session handling for native clients. This would be like:

   1. Login
   2. read HTTP Header of response to get the cookies
   3. save all cookie data you need (especially the one with the session stuff) locally
   4. send this session id with every request you do

2. Don't use sessions at all. From the point of view of a native client it's pretty much the same as 1.:

   1. Login
   2. Get some authentication token from HTTP Header or response body (it's your app, though it's up to you)
   3. save this token locally
   4. send this token with every request

3. The hybrid approach. This basically means, that the server has to distinguish between browser and native client and then check the provided session id and session data or (for native clients) check the provided auth token.

6.: CSRF Token with stateless (= no session/no cookies) auth

CSRF Protection protects your users from malicious websites, that try to do some request on your API in the name of your logged in user, but without your user knowing it. That's pretty simple when using sessions:

1. User logs in at your API
2. Session get's created
3. Your users browser will have a cookie set with this session ID
4. Every request your user does do your API is automatically authenticated, because the browser will send all cookies (including the session id) along with each request to your API

And thus the attacking website simply has to do the following:

1. Write a custom HTML <form> which points to your API
2. Let the user somehow click the Submit button

Of course this form will be something like:

<form action="http://your.api.com/transferMoney" method="post">
  <input type="hidden" name="receiver" value="ownerOfTheEvilSite" />
  <input type="hidden" name="amount" value="1000.00" />
  <input type="submit" value="WIN MONEY!!" />
</form>

This leads to the following assumptions:

1. CSRF Protection is only needed because browsers automatically send cookies.

2. Native clients to not need CSRF Protection (of course: your browser can't access the authentication data (token, cookie, whatever) of your native app, and your native app won't use a browser to communicate with the API)

3. If you've got an API design which doesn't use Cookies to authenticate the user, there's no possibility to do CSRF. Because the attacker must know the authentication token and explicitly send it along with the malicious request.

If you want to oversecure your app, you can of course use CSRF Tokens along with you stateless authentication mechanism, but I'm pretty sure, that there's no additional security gain.

7.: The right HTTP Methods to choose

Login / Sign in and Logout / Sign out:

Never use GET for (at least) three reason:

1. CSRF Protection in most cases only protects POST, PUT, PATCH and DELETE and thus a CSRF could login a user without his knowledge when using a GET request

2. GET requests should never change the application state. But when i.e. using Sessions the application state changes on login/logout, because a session gets created or destroyed.

3. When using a GET request and transmitting the authentication information as URL parameters (i.e. http://your.api.com/login?username=foo&password=bar) there is another problem: Server logs! Most servers simply log every HTTP request including all URL parameters. That means: If your server get's hacked, there's no need to crack the password hashes from your DB, they must just have a look at the server's log files. In addition a malicious admin could also read the login information for every user. Solutions:

   • Use POST (or whatever method you like) and send the authentication information inside the request body. Or:
   • Send the authentication information within the HTTP headers. Because those information normally do not appear in the server log files. Or:
   • Have a look at the server config, and tell it to remove every URL parameter that is named "password" (or obfuscate is, so the URL becomes login?username=foo&password=*** inside the logs). But I suggest, to simply use the request body for this kind of information along with the POST method.

So you could use for example:

POST http://your.api.com/authentication for login

DELETE http://your.api.com/authentication for logout

8.: Passwords and Hashing

Authentication only works with some secret key. And of course this key should be kept secret. This means:

• Never store a password in plaintext in your database. There are several libraries available to make it secure. In my opinion the best option is bcrypt.

• bcrypt: It's been optimized to hash passwords. It automatically generates a salt and hashes the password multiple times (rounds). In addition the generated hash-string contains everything needed: Number of rounds, salt and hash. Though you just need to store this one String and there's no need to write anything by hand.

• of course you can also use any other strong hashing library. But for most of them, you've got to implement salting and using more than 1 rounds yourself. Additionally they wont give you just a single string like bcrypt does, though you've got to manage yourself to store rounds, salt and hash and reassemble it afterwards.

• rounds: This is simply how often the password should be hashed. When using 5000 rounds the hashing function will return the hash of the hash of the hash of the hash of the password. There's basically a single reason to do this: It costs CPU Power! This means: When someone tries to bruteforce your hash, it takes 5000 times longer when using 5000 rounds. For your application itself it doesn't matter that much: If the user knows his password, he will not recognize, if the server took 0.0004ms or 2ms to validate it.

• good passwords: The best hashing function is useless, if the password is too simple. If it can be cracked, using a dictionary, it doesn't really matter if you hashed it with 5000 rounds: It will maybe take a few hours longer, but what are a few hours, if it could be months or years? Though make sure, that your user's passwords contain the usual recommendations (lower + upper case + numbers + special chars, etc. pp.)

9.: Sending encrypted passwords over the wire

If you can't (or don't want to) rely on HTTPS, but don't want to send passwords in cleartext when signing in, you can use asymmetric cryptography ( http://en.wikipedia.org/wiki/Public-key_cryptography ).

This server creates a key pair (public key and private key). The public key is made available to the clients, the private key has to be kept private!

The client can now encrypt data using the public key, and this data can only be decrypted by the owner of the private key (= the server).

This should not(!) be used to store passwords in the database, because if your server gets hacked, the hacker will have the encrypted passwords and the private key for decryption. Though keep using some hashing algorithm (like bcrypt) for storing passwords in your database. Another reason is, that you can easily generate a new key pair, if you think that someone cracked you encryption.

HTTPS basically works the same way. Though, if your application uses HTTPS (which is recommended) there might be no big benefit in terms of security. But as stated above, if you can't use HTTPS for whatever reason or don't trust it, that's a way to craft your own secure connection.

And keep in mind that a real HTTPS connection encrypts the whole(!) connection and all data, not only password data. And it encrypts it both ways, from client to server and server to client.

How do servlets work? Instantiation, shared variables and multithreading

Suppose, I have a webserver which holds numerous Servlets. For information passing among those Servlets I am getting the Servlets context and setting session variables.

Now, if 2 or more users send request to this server then what happens to the session variables? Will they all be common for all the users or they will be different for each user. If they are different, then how was the server able to differentiate between different users?

One more similar question, if there are *n* users accessing a particular Servlets, then this Servlets gets instantiated only the first time the first user accessed it or does it get instantiated for all the users separately?

Do sessions really violate RESTfulness?

Is using sessions in a RESTful API really violating RESTfulness? I have seen many opinions going either direction, but I'm not convinced that sessions are RESTless. From my point of view:

• authentication is not prohibited for RESTfulness (otherwise there'd be little use in RESTful services)
• authentication is done by sending an authentication token in the request, usually the header
• this authentication token needs to be obtained somehow and may be revoked, in which case it needs to be renewed
• the authentication token needs to be validated by the server (otherwise it wouldn't be authentication)

So how do sessions violate this?

• client-side, sessions are realized using cookies
• cookies are simply an extra HTTP header
• a session cookie can be obtained and revoked at any time
• session cookies can have an infinite life time if need be
• the session id (authentication token) is validated server-side

As such, to the client, a session cookie is exactly the same as any other HTTP header based authentication mechanism, except that it uses the Cookie header instead of the Authorization or some other proprietary header. If there was no session attached to the cookie value server-side, why would that make a difference? The server side implementation does not need to concern the client as long as the server behaves RESTful. As such, cookies by themselves should not make an API RESTless, and sessions are simply cookies to the client.

Are my assumptions wrong? What makes session cookies RESTless?

NHibernate - Difference between session.Merge and session.SaveOrUpdate?

I noticed sometimes with my parent/child objects, or many-to-many relationships, I need to call either SaveOrUpdate, or Merge. Usually, when I need to call SaveOrUpdate, the exception I get on calling Merge has to do with transient objects not being saved first... Please explain the difference between the two.

What is default session timeout in ASP.NET?

What is the default session timeout value in ASP.NET?

Check if PHP session has already started

I have a PHP file that is sometimes called from a page that has started a session and sometimes from a page that doesn't have session started. Therefore when I have session_start() on this script I sometimes get the error message for "session already started". For that I've put these lines:

if(!isset($_COOKIE["PHPSESSID"]))
{
  session_start();
}

but this time I got this warning message:

Notice: Undefined variable: _SESSION

Is there a better way to check if session has already started?

If I use @session_start will it make things work properly and just shut up the warnings?

NHibernate ISession Flush: Where and when to use it, and why?

One of the things that get me thoroughly confused is the use of session.Flush,in conjunction with session.Commit, and session.Close.

Sometimes session.Close works, e.g., it commits all the changes that I need. I know I need to use commit when I have a transaction, or a unit of work with several creates/updates/deletes, so that I can choose to rollback if an error occurs.

But sometimes I really get stymied by the logic behind session.Flush. I have seen examples where you have a session.SaveOrUpdate() followed by a flush, but when I remove Flush it works fine anyway. Sometimes I run into errors on the Flush statement saying that the session timed out, and removing it made sure that I didn't run into that error.

Does anyone have a good guideline as to where or when to use a Flush? I've checked out the NHibernate documentation for this, but I still can't find a straightforward answer.

Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant"

Disclaimer: I'm new to the REST school of thought, and I'm trying to wrap my mind around it.

So, I'm reading this page, Common REST Mistakes, and I've found I'm completely baffled by the section on sessions being irrelevant. This is what the page says:

There should be no need for a client to "login" or "start a connection." HTTP authentication is done automatically on every message. Client applications are consumers of resources, not services. Therefore there is nothing to log in to! Let's say that you are booking a flight on a REST web service. You don't create a new "session" connection to the service. Rather you ask the "itinerary creator object" to create you a new itinerary. You can start filling in the blanks but then get some totally different component elsewhere on the web to fill in some other blanks. There is no session so there is no problem of migrating session state between clients. There is also no issue of "session affinity" in the server (though there are still load balancing issues to continue).

Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle.

Would it be bad to have a REST service, say, /session, that accepts a GET request, where you'd pass in a username/password as part of the request, and returns a session token if the authentication was successful, that could be then passed along with subsequent requests? Does that make sense from a REST point of view, or is that missing the point?