undefined | Better HN

0 pointsecthiender11y ago0 comments

Excuse my ignorance, but how can I do session management without using cookies?

I tried searching on the net, but it doesn't seem to give any concrete/valid results.

Can you give me any pointers?

Edit: I do use OAuth2.0 on my services and use Mozilla Persona to manage user logins, but I am not clear how can I keep sessions between requests if I don't use cookies.

0 comments

hueving11y ago

You can carry the session ID in the URL. This also has the benefit of eliminating XSRF. The downside is that you have a horrendous URL if that type if thing bothers you, and you can't have a "remember me" check box in your login.

amatix11y ago

This approach has some massive downsides - the session ID is sent via Referer to outbound links, URLs are logged all over the place (including browser histories), it's easy for people to publicly share it without thinking which then ends up in Google as well...

al2o3cr11y ago

Partying like it's LITERALLY 1999...

lutoma11y ago

That's a horrible suggestion, it's not 1999 anymore…

MichaelGG11y ago

HTML5 has local storage, so you can put auth tokens in there and only send them when you need them, versus on every request.

stephenr11y ago

So rather than just using cookies effectively, you can make your application absolutely dependant on both JavaScrip and XHR?

ecthienderOP11y ago

I agree with you completely. Cookies are an older technology and is well supported in all kinds of browser. Plus it does the client side of session management for you(sending the tokens on every request). Localstorage is newer technology and might not be feasible in all situations. Plus JS+XHR are also not available to all kinds of users. (People using Tor, NoScript etc).

Also, I don't see the advantage of storing session/auth tokens in localstorage over cookies. Both are stored in plain text, and can be read if somehow it is obtained. Also, using localstorage means writing your own client-side implementation of doing the session management.

I also don't see the advantage of using session tokens in URLs. Anyway cookies are included as part of header of the HTTP request, you don't have to have your application send session trackers. I think both are functionally same and the tokens in URLs just does not look good!

And public/private key-based signing system is still not there yet, unless we simplify some UX issues about having private/public keys for every user, we are not getting there.

So, it looks like, to me, there is no really effective alternative for doing sessions apart from cookies (even in HTTP/2)?!

omeid211y ago

"Applications" on the web are inherently dependant on JavaScript and most often XHR too, but I do agree that using Local Storage has little to no advantage over Cookies.

1 more reply

keeperofdakeys11y ago

Maybe you can get around not using cookies for an AJAX application that keeps a constant connection open. But for the other 99% of the web, you still need cookies to get the statefullness required for any kind of authentication or tracking.

Cookies aren't auth tokens anyway, just session trackers.

blueskin_11y ago

Theoretically, we could move to a private key based system, where your browser encrypts/signs with a private key for each site, but there's neither the will to do it, nor the means to make it simple for the room temperature IQs. Shame, as the privacy and security benefits would be amazing.

stephenr11y ago

This could be done today with TLS Client Certificates. There is already browser support (through either <KeyGen /> or the MS alternative, which is an API rather than an element, I believe) for creating a private/public key pair, and sending the public key to the server.

Unfortunately it's not fantastically simple to move to a new device (particularly not a mobile device where client certs are even harder to install)

j / k navigate · click thread line to collapse

0 comments

hueving11y ago

amatix11y ago

al2o3cr11y ago

Partying like it's LITERALLY 1999...

lutoma11y ago

That's a horrible suggestion, it's not 1999 anymore…

MichaelGG11y ago

HTML5 has local storage, so you can put auth tokens in there and only send them when you need them, versus on every request.

stephenr11y ago

So rather than just using cookies effectively, you can make your application absolutely dependant on both JavaScrip and XHR?

ecthienderOP11y ago

And public/private key-based signing system is still not there yet, unless we simplify some UX issues about having private/public keys for every user, we are not getting there.

So, it looks like, to me, there is no really effective alternative for doing sessions apart from cookies (even in HTTP/2)?!

omeid211y ago

"Applications" on the web are inherently dependant on JavaScript and most often XHR too, but I do agree that using Local Storage has little to no advantage over Cookies.

1 more reply

keeperofdakeys11y ago

Cookies aren't auth tokens anyway, just session trackers.

blueskin_11y ago

stephenr11y ago

Unfortunately it's not fantastically simple to move to a new device (particularly not a mobile device where client certs are even harder to install)

j / k navigate · click thread line to collapse