in Mule ESB I use Object Store, but variable in Object store is global for all connection on my TCP connection, how do it different from other connection? Like session in PHP?
Just use a unique Object Store key as an access token you provide to each client. That's what a PHP session does: it provides a token in a cookie or the url and stores session data using that token as a key.
Related
for example: if i have Asp.net web Api Application and this application get a Token from Client To send Notification for this Client with this Token and every Client have a different Token.
How can I save this Token for each individual Client To every Client use his Special Token more Times from different Computer or From different Browser??
Schould I use cookies or Session or is there something else??
It is worth noting that the Token is sent from the client and used by the server
The WebAPi is a Stateless Project that mean you do not need to manage the state for every client!
For example, if you use JWT token, once the token created by API, client must send the token for every request.
BUT
If you need to save a token for more use!
Four options come to mind :
1-use your primary db(ex:SQL Server) to save the token!and retrieve every time you need!(Not a good idea)
2-save your token to Redis!
3-create a static class with Singleton lifetime, then with dictionary you can save the token for every client to memory!
4-Use In-memory Database link
So, I would like to implement complex session management in my application. Essentially, I would like to store user sessions both in the postgre and Redis.
So, the algorithm should be the following:
A request is sent to the app, the application parses incoming request cookies and extracts a session parameter;
Spring server tries to retrieve respective session object by id from Redis
If the previous step succeeds, then the server verifies the session and lets the request pass through if the session is active and valid. Otherwise - unauthorized path.
If the session object isn't present in the Redis, then the server tries pulling a member session from the postgre. Does the same verifications and caches the response. If the session isn't valid or isn't present in RDBMS - go to the unauthorized path.
Is there any elegant way to implement the following mechanism using existing packages? Or will this require custom logic?
So, I watched this video - https://www.youtube.com/watch?v=TggWLDAXmb4
And I was able to get a gist of how basic security mechanisms work in Spring and implement the workflow described above;
Basically, you will need to have:
Custom security filter that will be preparing specific Authentication;
Custom authentication provider that will be performing authentication (checking session)
I have the following scenario that I am curious if it is possible to implement. I need to use SSO and more specifically OneLogin to authenticate the user via custom UI from my Java standalone application. I know this can be done via Create Session Login Token and then Create session via token One Login API calls. With some parsing I can get the session cookie out of the last call and store it.
Now I need to programmatically hit the API server, which is to be build still and this server somehow needs to validate the session cookie that I am going to send along with request. The key word "Programatically" as in there will be no browser
OneLogin doesn't provide SDK to validate existing session cookie => it would be nice if I could, based on session cookie find out if it is still valid and what is the user name used for this session. If session is invalid API server would return unauthorized.
Is this even possible? Or is it possible in some other way?
Basically One Login is already used in our ecosystem and I have to continue using it
The app that will log user in and get the session cookie may not be the one calling the API server. This could be another java application that would receive the session
I guess what I am looking for is Validate Session equivalent from Open ID Connect API in general API
The session_token that is returned via that API has a short expiry is only intended to be used for making the Create Session request which returns session cookies.
It sounds like OpenId Connect might be the best option for this use case. If you have user credentials then you could use the Resource Owner Password Grant flow to authenticate the user and obtain an id_token.
The id_token is a JWT containing user details can then be verified for authenticity by checking its signature, audience and expiry claims. It can also hold other custom information about the user that may be used by your backend application.
I am trying to understand, how exactly the session management mechanism in a stateless web application works. Currently I am using Play Framework but I think the mechanism should be the same for all of the stateless web frameworks
this is from the documentation of play framework: (link)
It’s important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism
and
Of course, cookie values are signed with a secret key so the client can’t modify the cookie data (or it will be invalidated).
Now my question is, if the server does not save anything about a session id, how does it authenticate a session coming from a client?!
I did a lot of searching, but I couldn't find out, how the session management on the server side really works.
Now my question is, if the server does not save anything about a
session id, how does it authenticate a session coming from a client?
What play does is it signs your session data through a key say KEY(Its the application.secret that you set in application.conf) and produce a alphanumeric data. Then it attaches both data and encrypted data to cookie and sends it back
ENCRYPTED DATA= 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea
DATA = userEmail=sil#st.com&userName=silentprogrammer
If you Inspect the cookie(Right click on browser->Inspect element->Application->Cookie->Your url) in the browser of your running application you can see something like
"5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea-userEmail=sil#st.com&userName=silentprogrammer"
For each request it gets the data part(userEmail=sil#st.com&userName=silentprogrammer) signs the data again from the KEY and checks it to the alphanumeric data coming from request i.e. 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea if the both are equal(if data and encryption key is same) the session is confirmed otherwise session expire. You can confirm this by changing the data part from cookie in browser and sending the request again the session will not exist.
This is what I have observed
I will be using stateless web app architecture. For authentication I will be encrypting the authenticationid and putting it in client cookie and sending it to client as described here.
But I see that when a get request is send to the server, the response contains a cookie named laravel_session. I've read that for a stateless architecture, there should be no session as otherwise it would mean that session state is stored at server.
How to remove any kind of session from laravel to make my app stateless?
Set session driver:
Laravel v5.7.0: config/session.php
Laravel v4.2.0: app/config/session.php
cookie - a cookie-based session driver where session data is encrypted in the user's cookies.
array - session data is saved in a PHP array. Take note that the array session driver does not support persistence and is usually only used in console commands and tests.