On Jan 25, 2018, at 2:58 PM, Pat Farrell <[email protected]> wrote: > On Thursday, January 25, 2018 at 8:33:40 AM UTC-5, [email protected] wrote: > > (2) would using a session cookie + some authorization middleware (such as > > casbin) make sense for our situation? what are its pro's and con's? > > In a pure micro-services architecture, you have to check every request in > every micro-service, its the nature of the beast. Of course, you pass around > a local token that expires in a 'short' time.
What I am going to describe here is overkill for almost everyone, and certainly
for a "first time building”, but it gives me the opportunity to discuss another
way of managing authenticated sessions with a RESTful API. Note, however, that
it requires specific client code.
With 1Password.{com,ca,eu}, we maintain an “authenticated session” that is
referenced by the client through a non-secret SessionID. (It could be a
non-secret cookie, but we put it in the URI). When the client first
authenticates, it does so using (a slightly non-standard version of) Secure
Remote Password, SRP:
https://godoc.org/github.com/agilebits/srp
this establishes a session key, which both the client and server will know. (It
does this without exchanging any secrets.)
After that, all requests are authenticated and encrypted with the session key
(or a key derived from the session key). This is all on top of TLS, which we do
not entirely trust. Thus, every client request contains a proof that it knows
the session key without ever transmitting it.
> Wiring your own that mostly works is trivial. Getting all the tiny details is
> very pedantic, and its easy to get wrong. Which is why its critical to ask
> how serious you are about value and potential attackers
Again, what we do is going to be overkill for most setups. And it was a lot of
work to build. But our security needs are probably different than most
people’s. Our authenticated session management isn’t as cleanly module-erized
as the SRP code, so we aren’t ready to publish that, but its on our wishlist of
stuff we would someday like to publish.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
https://1password.com
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME cryptographic signature
