Leaving the State: Sessionless (Stateless) Authentication in D8

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

LIS651 lecture 3 taming PHP Thomas Krichel

LIS651 lecture 3 functions & sessions Thomas Krichel

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,

Testing Web Applications & Services Testing Web Applications & Web Services.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The Definition Of Crazy Insanity Chris Porter D.O netw3rker

1 Caching in HTTP Representation and Management of Data on the Internet.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Web Caching: Replication on the World Wide Web Jonathan Bulava CSC8530 – Distributed Systems Dr. Paul Schragger.

Chapter 4: Core Web Technologies

Ideas to Improve SharePoint Usage 4. What are these 4 Ideas? 1. 7 Steps to check SharePoint Health 2. Avoid common Deployment Mistakes 3. Analyze SharePoint.

Victor Mushkatin, MCSE, MCSD CORPORATION Alexander Zakonov, MCSE, MCSD Stephen Pelletier, MCSE.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Feedback #2 (under assignments) Lecture Code:

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Orbited Scaling Bi-directional web applications A presentation by Michael Carter

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

Web Technologies Interactive Responsiveness Function Hypertext Web E-Publishing Simple Response Web Fill-in Forms Object Web « Full-Blown » Client/Server.

Web Cache Consistency. “Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency.”

SE-2840 Dr. Mark L. Hornick1 Servlet Threads and Sessions.

Database Access Control IST2101. Why Implementing User Authentication? Remove a lot of redundancies in duplicate inputs of database information – Your.

Cloud Computing Computer Science Innovations, LLC.

ARCH-5: Service Interfaces in Practice Christian Stiller Technical Architect.

ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

COOKIES AND SESSIONS.

Web Cache. What is Cache? Cache is the storing of data temporarily to improve performance. Cache exist in a variety of areas such as your CPU, Hard Disk.

Today’s Applications Web API Browser Native app Web API Web API

Converting SharePoint on- premise Apps to Office 365 Jos Auker-Woor M377.

© Copyright 2012 Hidaya Trust (Pakistan) ● A Non-Profit Organization ● / www,histpk.org Hidaya Institute of Science & Technology

Cookies Tutorial Cavisson Systems Inc..

Consuming OAuth Services in Alfresco Share

CS6320 – Performance L. Grewe.

CIIT-Human Computer Interaction-CSC456-Fall-2015-Mr

RESTful Sevices Distributed Objects Presented by: Shivank Malik

HTTP request message: general format

z/Ware 2.0 Technical Overview

Time is the enemy: Ten Core Lessons for Achieving Peak

Sessions and cookies (part 2)

Radius, LDAP, Radius used in Authenticating Users

SP Roadmap Identifies “current”, “next”, and possibly “future” releases along with links.

ITM 352 Cookies.

Cross-Site Forgery

Web Programming Language

Web Caching? Web Caching:.

Internet Applications

Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Lecture 1: Multi-tier Architecture Overview

Moodle Scalability What is Scalability?

Module P3 Practical: Building a webapp in nodejs and

CSE 154 Lecture 21: Sessions.

Web Programming Language

Cookies and sessions Saturday, February 23, 2019Saturday, February 23,

CSE 154 Lecture 22: Sessions.

Technical Integration Guide

Web Programming Language

Presentation transcript:

Leaving the State: Sessionless (Stateless) Authentication in D8 DrupalCon Nashville 2018

These Guys Dr J Daverth Technical Lead, Whole Foods Market D.O.: dr-jay BitBucket: drjdaverth LinkedIn: drjdaverth Adam Weingarten Senior Technical Architect, Acquia D.O.: adam.weingarten GitHub: aweingarten LinkedIn: adam.weingarten

Brought to you by

What are we going to talk about? ● Why scaling authenticated traffic is hard? ● What is sessionless auth? ● How can you use it to manage a single login to multiple sites ● Working with an external auth provider (Janrain) ● PIIaaS! Storing PII as a Service in an API. ● Proxying web-service calls - don’t do it! ● How to delegate oauth token

Case Study – International Retail Brand Launched July 2012 on Drupal 7 Designed for a much more static world Full page refreshes Not service based

Deep dive in the issues on D7 Primitive Janrain Social Integration: Really heavy weight on page load Bloated DB. Copies took forever. Stored unnecessary PII Authenticated experiences required full page loads. Meant things weren’t cacheable.

D8 High-level Goals Technical Drivers Support 10% Authenticated Traffic SSO between D7 and D8 Personalized Digital Experience Mobile / Responsive Experience

Back to the Basics Scaling Anonymous Traffic Is Easy Can let CDN do the lifting: Fastly, Akamai, CloudFlare. Varnish in front of your webs Hit your origin. Store the information at Varnish and CDN. Caching solves all the problems.

What is a Session? The sequence of interactions between client and server, or between user and system; the period during which a user is logged in or connected. -- Thus spoke Wikipedia

What is a PHP Session? $_SESSION super global Start with session_start() early in your PHP script. Drupal wraps it and stores data across requests in the DB Uses a cookie value to ID you

What does it Look Like?

Why are Sessions a PAIN? HTTP/1.1 200 OK Age: 0 Cache-Control: must-revalidate, no-cache, private Via: 1.1 varnish-v4 Connection: keep-alive X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1508437362.252176,VS0,VE296 Bypasses cache. No cache for you!

Under Pressure Your DB and your webserver

Opposition of Forces New experience requires personalization Our infrastructure sucks at personalized data

Oh, did you forget? We also need to support seamless login to D7 and D8 Login to one system, and let the second system hit a service to confirm a user is authenticated Set a token that both sites can read

Solutions not problems After we have crushed your soul let’s build you back up.

Traditional Auth Get session Yeah they’re cool Data Authenticates MySql with Session tables IDP Drupal 8 Return session data Return personalized data

Stateless (Sessionless) Auth User authenticates with something. Once they pass the bouncer give them an encrypted token. User can’t read it Any time they try to do something special they present the token. Then the bouncer decrypts it and lets them through.

From Drupal’s POV

What is in the Magic Encrypted Token? Anything that might live in a PHP Session or User table API UserIDs Session Expiration time

How does this let me do D7 and D8? Assuming that the 2 sites are on the same domain or subdomain Both sites can read the cookie Shared decryption key both can read it. I login on D8 -> I go to a page being hosted at D7

I used to log people out by truncating the session table. Now what??

We can show you how to prevent world domination by zombies Umm yeah that…. HowTake current time + session lifetime. If the timestamp in the decrypted cookie < current time + session lifetime. Then send back an expiration message and handle it on the frontend.

PIIaaS Storing Personally Identifiable Information (PII) as a Service (API)

PII as a Service All personalized content on IOS, Android and Web via API Drupal is a consumer of the API like anyone else No DB calls, no PII unnecessarily stored in Drupal Clear separation of concerns.

Lesson Learned Proxying webservice calls is bad.

Yeah, this is why it’s really bad Latency. Each web-server has a finite number of concurrent PHP procs When you make a webservice call you tie up those procs waiting for a response. Limits transactions per-second.

How do we fix it?

Browser can access the API layer directly, without an intermediary

How scalable?

Very Scalable

Ended up with: Scalable System Separation of concerns: Each part of our stack can focus on doing 1 thing well.

Questions?

Thank you!