how to bake delicious cookie (restful meetup #03)
DESCRIPTION
Advanced topic of HTTP Cookie usage.TRANSCRIPT
How to bake delicious cookie
Toru Yamaguchi (@zigorou)DeNA Co.,Ltd.
Mobage Platform Senior Architect
2014年4月14日月曜日
Self Introduction• Platform Architect
• RESTful APIs, JSON-RPC APIs design and impl
• OpenSocial JavaScript API design
• Native SDK backend design
• Activity Streams backend design and impl
• Mobage Connect (OAuth 2.0 and OpenID Connect Server) design
• JavaScript SDK design
• etc ...
• Perl Monger
• https://metacpan.org/author/ZIGOROU
• Profile
• @zigorou (twitter)
2014年4月14日月曜日
Recent implementation
• JSON Pointer (perl)
• JSON::Pointer
• JSON Schema validator (perl)
• JSV (not released to CPAN)
2014年4月14日月曜日
My recent interest
• Guessing the typical making of Web Application
• Especially, STATEful web application's session behavior
2014年4月14日月曜日
Cookie???
2014年4月14日月曜日
HTTP Cookie!
• Today, we learn detail of HTTP cookie behavior
• And more, we learn advanced cookie usage
2014年4月14日月曜日
Host Cookie
• The host cookie is received by Set-Cookie response header without domain attribute
• The host cookie is shared only the sender domain
2014年4月14日月曜日
Domain Cookie
• The domain cookie is recieved by Set-Cookie response header with domain attribute
• The domain cookie is shared to sender domain and sender sub-domains.
2014年4月14日月曜日
Host and Domain Cookie Differences
sender
aaa.example.com bbb.example.com aaa.example.com bbb.example.com
sender
Host Cookie Domain Cookie
Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com
2014年4月14日月曜日
Typical usage of domain cookie
• Sharing UserAgent STATE between many web services have same domain suffix.
• login session
• tracking
2014年4月14日月曜日
The path attribute
• The path attribute controls Cookie sending from UserAgent by URI path
• This feature is very interesting usage by many services
• Especially Google+ SignIn
2014年4月14日月曜日
The path behavior
/foo
/foo/bar
/abc
/
Set-Cookie: xyz=1; path=/foo
2014年4月14日月曜日
Gmail multiple session by path attribute
personal
work /mail/u/1
/mail/u/0
2014年4月14日月曜日
Transactional session (1)
• Creating temporary transactional resource
• GET /resources/new
• 302 Found
• Location: /resources/{resId}
• Set-Cookie: TSID=xyz123; path=/resources/{resId}
• Continue process until finishing transaction
2014年4月14日月曜日
Transactional Session (2)
• The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint
• Managing STATE by URI !!!
• Secure
• Expiration friendly
2014年4月14日月曜日
JSON Web Token• Do you know JWT?
• JWT is JSON Web Token
• JWT includes original JSON Object
• JWT has few registered claims (≒vocabulary)
• issuer, audience, subject
• issued at, expired at
• etc ...
• JWT supports signature (JWS) and encryptiong (JWE)
2014年4月14日月曜日
JWT encode/decode#!/usr/bin/env perl
use strict;use warnings;use JSON::WebToken qw( encode_jwt decode_jwt);
my $jwt = encode_jwt({ foo => 1 }, "secret");my $json = decode_jwt($jwt, "secret");
2014年4月14日月曜日
Using JWT to login session cookie (1)
• Expires time of JWT is server-side time
• But Cookie's expires time is client-side time
• And more, Server sometimes can confirm expiration without lookup session db
• Verify UserAgent
• Embed UA hash value to JWT
• Verify session
• It is just verification of JWT signature.
2014年4月14日月曜日
Using JWT to login session cookie (2)
my $session_value = encode_jwt(decode_json(<<JSON{ "jti": "1234567", "iss": "https://authz.example.com", "aud": "https://authz.example.com", "sub": "https://profile.example.com/zigorou", "https://schema.example.com/session": { "ua_hash": 331365789, "remote_addr_ipv4_hash": 595682001, "tracking_cookie_hash": 1361976131 }, "iat": 1397293921 "exp": 1397380321}JSON), "secret");
2014年4月14日月曜日
Transparent Session State Cookie
• In OpenID Connect Session Management (http://openid.net/specs/openid-connect-session-1_0.html) specification
• Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application.
• If you are interested in it, please read the specification
• Mobage Connect (my current work) supports it
2014年4月14日月曜日
Thanks
• If you have any question, talk to me in get-together.
2014年4月14日月曜日