SlideShare a Scribd company logo

How to bake delicious cookie (RESTful Meetup #03)

Toru Yamaguchi
Toru Yamaguchi

Advanced topic of HTTP Cookie usage.

Technology
1 of 21
Download to read offline
How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
Cookie??? 2014年4月14日月曜日
HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日

Recommended

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 

Recommended

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web developmentAnh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about djangoAdieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid SecurityYusuke Muraoka
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaSPRITLE SOFTWARE PRIVATE LIMIT ED
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperTMME - TECH MEETUP FOR MYANMAR ENGINEERS IN JP
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 

More Related Content

What's hot

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionEduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolAlessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Saif Jerbi
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Wardmfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション土岐 孝平
 

What's hot (8)

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by Visnupriya
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
 

Similar to How to bake delicious cookie (RESTful Meetup #03)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsPavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with PortalsPiergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017JoEllen Carter
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentalsAgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with GoMarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swaggerTony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemGeertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java scriptPatrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformAll Things Open
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"Geertjan Wielenga
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the thingscyberzeddk
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014John Davies
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyForgeRock
 

Similar to How to bake delicious cookie (RESTful Meetup #03) (20)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Oracle JET
Oracle JETOracle JET
Oracle JET
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation Platform
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the things
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
 

More from Toru Yamaguchi

これからの Microservices
これからの Microservicesこれからの Microservices
これからの MicroservicesToru Yamaguchi
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015Toru Yamaguchi
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Toru Yamaguchi
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術Toru Yamaguchi
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)Toru Yamaguchi
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割Toru Yamaguchi
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web ServicesToru Yamaguchi
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorouToru Yamaguchi
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platformToru Yamaguchi
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platformToru Yamaguchi
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and PerlToru Yamaguchi
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architectureToru Yamaguchi
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalToru Yamaguchi
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Toru Yamaguchi
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0Toru Yamaguchi
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderToru Yamaguchi
 

More from Toru Yamaguchi (20)

これからの Microservices
これからの Microservicesこれからの Microservices
これからの Microservices
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web Services
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorou
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platform
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platform
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and Perl
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architecture
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 Revival
 
OpenID Mobile Profile
OpenID Mobile ProfileOpenID Mobile Profile
OpenID Mobile Profile
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0
 
OpenID 2009
OpenID 2009OpenID 2009
OpenID 2009
 
Mobile Openid
Mobile OpenidMobile Openid
Mobile Openid
 
Client Side Cache
Client Side CacheClient Side Cache
Client Side Cache
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::Loader
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

How to bake delicious cookie (RESTful Meetup #03)

  • 1. How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
  • 2. Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
  • 3. Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
  • 4. My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
  • 6. HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
  • 7. Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
  • 8. Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
  • 9. Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
  • 10. Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
  • 11. The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
  • 12. The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
  • 13. Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
  • 14. Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
  • 15. Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
  • 16. JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
  • 17. JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
  • 18. Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
  • 19. Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
  • 20. Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
  • 21. Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日