6. HTTP Cookie!
• Today, we learn detail of HTTP cookie
behavior
• And more, we learn advanced cookie usage
2014年4月14日月曜日
7. Host Cookie
• The host cookie is received by Set-Cookie
response header without domain attribute
• The host cookie is shared only the sender
domain
2014年4月14日月曜日
8. Domain Cookie
• The domain cookie is recieved by Set-
Cookie response header with domain
attribute
• The domain cookie is shared to sender
domain and sender sub-domains.
2014年4月14日月曜日
10. Typical usage of domain
cookie
• Sharing UserAgent STATE between many
web services have same domain suffix.
• login session
• tracking
2014年4月14日月曜日
11. The path attribute
• The path attribute controls Cookie sending
from UserAgent by URI path
• This feature is very interesting usage by
many services
• Especially Google+ SignIn
2014年4月14日月曜日
14. Transactional session
(1)
• Creating temporary transactional resource
• GET /resources/new
• 302 Found
• Location: /resources/{resId}
• Set-Cookie:TSID=xyz123; path=/
resources/{resId}
• Continue process until finishing transaction
2014年4月14日月曜日
15. Transactional Session
(2)
• The path attribute ensures sharding scope
of transactional session is only under the
transactional resource endpoint
• Managing STATE by URI !!!
• Secure
• Expiration friendly
2014年4月14日月曜日
16. JSON Web Token
• Do you know JWT?
• JWT is JSON Web Token
• JWT includes original JSON Object
• JWT has few registered claims (≒vocabulary)
• issuer, audience, subject
• issued at, expired at
• etc ...
• JWT supports signature (JWS) and encryptiong (JWE)
2014年4月14日月曜日
17. JWT encode/decode
#!/usr/bin/env
perl
use
strict;
use
warnings;
use
JSON::WebToken
qw(
encode_jwt
decode_jwt
);
my
$jwt
=
encode_jwt({
foo
=>
1
},
"secret");
my
$json
=
decode_jwt($jwt,
"secret");
2014年4月14日月曜日
18. Using JWT to login
session cookie (1)
• Expires time of JWT is server-side time
• But Cookie's expires time is client-side time
• And more, Server sometimes can confirm
expiration without lookup session db
• Verify UserAgent
• Embed UA hash value to JWT
• Verify session
• It is just verification of JWT signature.
2014年4月14日月曜日
20. Transparent Session
State Cookie
• In OpenID Connect Session Management (http://
openid.net/specs/openid-connect-
session-1_0.html) specification
• Using cookie without HttpOnly attribute, It
provides Single Logout mechanism between
Authorization server and client application.
• If you are interested in it, please read the
specification
• Mobage Connect (my current work) supports it
2014年4月14日月曜日
21. Thanks
• If you have any question, talk to me in get-
together.
2014年4月14日月曜日