The site (laravel 6) has a page where we connect to the socket server in node (self-written sockets are used).
Node is just an intermediary between the client and laravel. Therefore, node then sends a post request to laravel with client data.
laravel needs to determine what kind of user it is, if everything is correct, then get access to its session data (do something with them, this is already business logic) and return confirmation of successful connection of this client to node.
If laravel has not defined the user, then returns to node a refusal to connect this client.
The question is how, with such a bunch, to determine in laravel what kind of user wants to connect?
It is possible to pass the encrypted session id stored in the user's cookies from the client to node and forward it to laravel. And how to start this session in a standard way and work with it?
Related
I have read a lot about json tokens vs session and still dont understand a few things.
benefit of using token is authentication across multiple devices.
Lets say user signs up on website, server generates session id, sends to client, client saves it in cookies or localstorage (so whenever user wants to log in again on website, client sends session id to server on each request, sever queries db and checks if its same id if yes sends response). Then same user, uses mobile app to log in, since session id is only stored inside computers browsers cookies/localstorage and not on mobile device or other computer, how would the log in from either different computer or mobile device happen?The server would send a different session id to each device the user logs in and then there is some sort of array stored on the server with ALL the users session ids?!
I also read that its much simpler with tokens as they are stateless. I just dont understand how that is relevant when it comes to multiple devices.
I read that for each request server checks using same signature as it used when it issued the token, if its valid. Client needs to send that token to server though with each request. So isnt that the same - different computer never stored the token inside cookies/localstorage so how would that work?!Would server need to create a different token? If thats the case, I dont get the difference and why session is less benefitial then tokens when it comes to multiple devices!
Also, I read: "Session cookies only work across a single domain, or on its subdomains. If they try to go to a third party, browsers tend to disable them....that wont happen with tokens". I dont understand what it means and how its related to multiple devices, also why cookies are relevant as json tokes ARE usually ALSO stored in cookies as well as session id?!
Sorry if its maybe too basic, I just read so much about that and just dont understand the basics.
there are some important differences between JWT and sessions.
Sessions are stored inside RAM of the server or a database to store where a user is or what he is doing. For example, you store the current page the user is working on.
BUT JWT is stateless. The server does not save the user state or his data to RAM or database. the server generates a key for the user including some important data for authentication(for example username, role, last access date) therefore the user must send his key with every request until his key expires and he must request for another one. Since the key only includes User Auth data, It can be used in every device(until it expires).
as you mentioned in mobile applications user gets multiple sessions so JWT mostly used in mobile or single-page applications. the user gets a key and state of user activity will be handled by mobile application.
Hope this helps.
I am new to web application , I am learning cookies and session, I understand HTTP is stateless protocol to make it stateful we use cookies at client side and session at server side.
When user requests a webpage it sends all the cookies available for that
browser on the PC.
If any one of the cookie matches with server side database , the server
shows the data , else sends set cookie with a session iD(optional to send
create session and send the session ID).
a. If server sends set cookie the client sends cookie in all respective
requests with the session id , only if the domain name matches with the
server to which the client sent .
Now my doubt is suppose I am working on an e-commerce site. And the server sends the number of items added to the cart till the user is not logging out , now it can be done using cookie alone why do we need session at all?
Is there something I am not understanding ?
These are separate concepts:
Cookie - Browser sends this with every request automatically
Header - Part of a HTTP request, the browser will only send data here if instructed.
Access token - Contains secret which may be a JWT (and identify the user) or a random set of characters
Session - a token bound to a user + device that authenticates the user. If the user doesn't have an access token, they can use the session to get a new token.
You can see that Cookie/Header are the where and access token/session token are the what.
The user needs to authenticate in your service. That means you need to be able to identify the user. That may be done with a JWT, session token, IP address, a signature, etc... And that is separate from how this data is transmitted to the service from the user.
So when you say why do you I need session when the user has cookies, these are totally unrelated. The session id may be saved in a cookie, that's just one option.
Whether or not the session id in a cookie corresponds to actual data on the server side is another completely separate question. Should the session token be a encrypted (or signed) object, like a JWT which contains user identifying information, or should that data be saved in a server side DB, and only transmit a random-string identifier. Who knows?
The answer is going to be based on what's critical for your application. Generally speaking, session tracking on the server side is a legacy concept, and the new hotness (which is old now), is to make the sessionId a JWT saved a HTTP Only cookie for security. And then passed on every request.
Lot's of services have sessions and access token management baked in, and for a working example and more about tokens, check out any one of many knowledge bases.
Because:
There may be, and probably is, sensitive data in that session, e.g. the user's id, identifying who the user is. If you just stored the user's id in a cookie, the user could manipulate it and easily pose as anyone else. There are of course ways to mitigate that, but simply not allowing the user to futz with the cookie contents (because it's just a meaningless session id) is the simplest.
It allows the server to manage session state; e.g. if a user suspects somebody is logged in as them on another device, they can invalidate all other sessions ("log me out everywhere" functionality).
You may be storing a lot of data, and sending it back and forth in a cookie on every request can become rather wasteful.
You may want to associate something like a shopping basket with the user's account, not just the user's browser, so when they log in on another device their shopping cart is following them around.
Yes, there are also perfectly fine cases were storing information just in a cookie is fine and preferable, especially since that allows you to scale your server more easily to a cluster of servers without having to worry about where the session information is stored. It depends on what information exactly you are storing.
The usual pattern is
the cookie contains only a unique session identifier (but no useful information itself)
the session storage (server-side) contains the associated data for this session. This can be a) very big and b) hidden from the user/browser and c) trustworthy (because the user cannot just modify it in the browser)
It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.
I'm having a hard time trying to understand how a user can send a message after login since there is no exchange of a session token or any other kind of token.
For example, in PHP after you login a user, a Session ID is created for him which is stored in a cookie, and then everytime he visits a page, that Session ID is retrieved from the cookie, identifying him.
How does this work with XMPP/ejabberd since no token is exchanged after authentication?
I found this:
Session Manager:
This module routes packets to local users. It searches for what user resource
packet must be sent via presence table. If this resource is connected to this
node, it is routed to C2S process, if it connected via another node, then the
packet is sent to session manager on that node.
... but I'm not sure it is related to my question and even if it is, I still don't get how does this relate to the login the user just made.
In XMPP, a TCP connection is kept open (often with TLS encryption). Every message sent over that connection is assumed to be from the user that has authenticated.
Session support given by the urn:ietf:params:xml:ns:xmpp-session namespace is deprecated and most servers do nothing in response to <session/>.
I have this web app written in AngularJs that uses cookies to authenticate the requests in a REST API.
Once the user logs in, the cookie is received and saved in the browser and all subsequent requests send the cookie along to the server. There is a 'User' service/object that saves the isLoggedIn and username values (for UI display/flow). Now, if I refresh the 'index' page, the app restarts. This means that my 'User' object will be cleared. I can check the existence of the cookie and, if it exists, I can re-set the User.isLoggeIn as true and go from there, but I still need to get the username, id, etc. So, my question is: should I create some sort of 'ping' endpoint in the API to verify if a cookie is valid? And if so, the API would send me back the user id and username... OR should I persist the user data in LocalStorage (or some similar cross-browser thing) and just assume the user is logged if the cookie exists? Any other subsequent requests to pages that need authentication would be automatically verified. So, this question really only applies to the scenario where the user refreshes the index page - hence, restarting the web app. I want to know the user data because I want to show a 'user homepage' instead of the 'public homepage'.
What do you think?
You should depend on the server for this. Creating something like GetCurrentUser method on the server. If the user is logged on this returns all the properties of the user.
You should even use this server api to get the user data after authentication completes. So the authentication become two step process first the user is authenticated, on success another call is made to server to get current users details.
Using client side local storage for this would not be ideal because you need to do lot of book keeping, in terms of cleaning the logged in user on log out or session expiration.
Also cookies from server would have expiration times an all, and making decision just based on cookie existing on local storage may not be optimal approach.
I did a little bit of Web Programming here and there but I never quite understood what's meant by the word Session.
I've googled a bit here and there, read the Wikipedia article, but could never quite grasp the meaning of it.
So, what's a Session?
Session is a way of persisting your information across multiple pages and requests. When you visit the login page of any site and you provide your username and password, you won't need to provide them again on subsequent pages.
This is done by attaching a session id, unique to your request, and is sent back and forth as you navigate pages.
Session Id could be stored in cookies (file on your system), in the URL as part of query string or in the database
A session is a place for storing data for a particular visitor of your site.
You can store data there that is also available on the next page request from that visitor. If some data is stored 'in the session', it means that the data is stored somewhere (possibly in the database of the server or in files) which the server can then use to construct the web page.
The visitor will receive a temporary cookie which contains a session id, an identifier which is used to associate that visitor with the session data that is stored on the web server.
The session id is sent to the server with each request and the server can lookup the stored session data (which can then be used to construct the web page).
It's the concept of keeping state around over an inherently stateless protocol like HTTP.
If you want to keep track of a logged-in user, for example, and maybe some data associated with that user, you could send that data between the server and the client each time, which of course would be terribly insecure. Or you could keep it in a session store on the server, for example a file or a database, and just exchange an identifier for the storage location between client and server. That's usually done via cookies these days, but could also be a parameter in the URL.
To make it simple:
If you first visit the site, the server gives the client an identifier. With this the server can identify a client across several request from the client to the server. The identifier is deleted after a preset time.
The combination of this identifier and the timeframe the identifier is valid, is called session.
Hope that helps. :-)
Session: An interaction between user & server, which has an ID associated with it. So that server can pin-point & serve the users according to their requests. Cookies are basically used for storing the session information because by default HTTP is state-less.