SlideShare une entreprise Scribd logo

How to bake delicious cookie (RESTful Meetup #03)

Toru Yamaguchi
Toru Yamaguchi

Advanced topic of HTTP Cookie usage.

Technologie
1  sur  21
Télécharger pour lire hors ligne
How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
Cookie??? 2014年4月14日月曜日
HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日

Recommandé

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 

Recommandé

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid SecurityYusuke Muraoka
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaSPRITLE SOFTWARE PRIVATE LIMIT ED
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperTMME - TECH MEETUP FOR MYANMAR ENGINEERS IN JP
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 

Contenu connexe

Tendances

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 

Tendances (8)

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by Visnupriya
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
 

Similaire à How to bake delicious cookie (RESTful Meetup #03)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformAll Things Open
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"Geertjan Wielenga
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the thingscyberzeddk
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014John Davies
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyForgeRock
 

Similaire à How to bake delicious cookie (RESTful Meetup #03) (20)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Oracle JET
Oracle JETOracle JET
Oracle JET
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation Platform
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the things
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
 

Plus de Toru Yamaguchi

これからの Microservices
これからの Microservicesこれからの Microservices
これからの MicroservicesToru Yamaguchi
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015Toru Yamaguchi
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Toru Yamaguchi
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術Toru Yamaguchi
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)Toru Yamaguchi
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割Toru Yamaguchi
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web ServicesToru Yamaguchi
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorouToru Yamaguchi
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platformToru Yamaguchi
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platformToru Yamaguchi
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and PerlToru Yamaguchi
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architectureToru Yamaguchi
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalToru Yamaguchi
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Toru Yamaguchi
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0Toru Yamaguchi
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderToru Yamaguchi
 

Plus de Toru Yamaguchi (20)

これからの Microservices
これからの Microservicesこれからの Microservices
これからの Microservices
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web Services
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorou
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platform
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platform
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and Perl
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architecture
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 Revival
 
OpenID Mobile Profile
OpenID Mobile ProfileOpenID Mobile Profile
OpenID Mobile Profile
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0
 
OpenID 2009
OpenID 2009OpenID 2009
OpenID 2009
 
Mobile Openid
Mobile OpenidMobile Openid
Mobile Openid
 
Client Side Cache
Client Side CacheClient Side Cache
Client Side Cache
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::Loader
 

Dernier

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

How to bake delicious cookie (RESTful Meetup #03)

  • 1. How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
  • 2. Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
  • 3. Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
  • 4. My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
  • 6. HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
  • 7. Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
  • 8. Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
  • 9. Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
  • 10. Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
  • 11. The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
  • 12. The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
  • 13. Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
  • 14. Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
  • 15. Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
  • 16. JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
  • 17. JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
  • 18. Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
  • 19. Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
  • 20. Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
  • 21. Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日