SlideShare une entreprise Scribd logo

How to bake delicious cookie (RESTful Meetup #03)

Toru Yamaguchi
Toru Yamaguchi

Advanced topic of HTTP Cookie usage.

Technologie
1  sur  21
Télécharger pour lire hors ligne
How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
Cookie??? 2014年4月14日月曜日
HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日

Recommandé

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 

Recommandé

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid SecurityYusuke Muraoka
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaSPRITLE SOFTWARE PRIVATE LIMIT ED
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperTMME - TECH MEETUP FOR MYANMAR ENGINEERS IN JP
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 

Contenu connexe

Tendances

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 

Tendances (8)

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by Visnupriya
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
 

Similaire à How to bake delicious cookie (RESTful Meetup #03)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformAll Things Open
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"Geertjan Wielenga
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the thingscyberzeddk
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014John Davies
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyForgeRock
 

Similaire à How to bake delicious cookie (RESTful Meetup #03) (20)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Oracle JET
Oracle JETOracle JET
Oracle JET
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation Platform
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the things
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
 

Plus de Toru Yamaguchi

これからの Microservices
これからの Microservicesこれからの Microservices
これからの MicroservicesToru Yamaguchi
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015Toru Yamaguchi
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Toru Yamaguchi
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術Toru Yamaguchi
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)Toru Yamaguchi
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割Toru Yamaguchi
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web ServicesToru Yamaguchi
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorouToru Yamaguchi
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platformToru Yamaguchi
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platformToru Yamaguchi
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and PerlToru Yamaguchi
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architectureToru Yamaguchi
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalToru Yamaguchi
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Toru Yamaguchi
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0Toru Yamaguchi
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderToru Yamaguchi
 

Plus de Toru Yamaguchi (20)

これからの Microservices
これからの Microservicesこれからの Microservices
これからの Microservices
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web Services
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorou
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platform
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platform
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and Perl
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architecture
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 Revival
 
OpenID Mobile Profile
OpenID Mobile ProfileOpenID Mobile Profile
OpenID Mobile Profile
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0
 
OpenID 2009
OpenID 2009OpenID 2009
OpenID 2009
 
Mobile Openid
Mobile OpenidMobile Openid
Mobile Openid
 
Client Side Cache
Client Side CacheClient Side Cache
Client Side Cache
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::Loader
 

Dernier

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 

Dernier (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 

How to bake delicious cookie (RESTful Meetup #03)

  • 1. How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
  • 2. Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
  • 3. Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
  • 4. My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
  • 6. HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
  • 7. Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
  • 8. Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
  • 9. Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
  • 10. Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
  • 11. The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
  • 12. The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
  • 13. Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
  • 14. Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
  • 15. Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
  • 16. JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
  • 17. JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
  • 18. Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
  • 19. Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
  • 20. Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
  • 21. Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日