SlideShare a Scribd company logo

How to bake delicious cookie (RESTful Meetup #03)

Toru Yamaguchi
Toru Yamaguchi

Toru Yamaguchi gave a presentation on advanced cookie usage. He explained the differences between host cookies and domain cookies, and how the path attribute can be used to control where cookies are sent. He discussed how JSON web tokens (JWT) can be used for login sessions by embedding user agent information. Finally, he mentioned how transparent session state cookies allow for single logout between authorization servers and client applications.

Technology
1 of 21
Download to read offline
How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
Cookie??? 2014年4月14日月曜日
HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日

Recommended

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web development
Anh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015
hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud Readiness
ForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about django
Adieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 

Recommended

Introduction to web development
Introduction to web developmentIntroduction to web development
Introduction to web development
Anh Nguyen
 
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Azure サーバレスアーキテクチャを支える Infrastructure as Code - Microsoft Ignite The Tour 202...
Kazumi IWANAGA
 
How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015How we realized SOA by Python at PyCon JP 2015
How we realized SOA by Python at PyCon JP 2015
hirokiky
 
The ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud ReadinessThe ForgeRock Deployment for Cloud Readiness
The ForgeRock Deployment for Cloud Readiness
ForgeRock
 
Web frameworks don't matter
Web frameworks don't matterWeb frameworks don't matter
Web frameworks don't matterTomas Doran
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
10 things you should know about django
10 things you should know about django10 things you should know about django
10 things you should know about django
Adieu
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Eduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
Alessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
Saif Jerbi
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
Yusuke Muraoka
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaSPRITLE SOFTWARE PRIVATE LIMIT ED
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
mfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
土岐 孝平
 
WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
Pavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
Piergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
JoEllen Carter
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
TMME - TECH MEETUP FOR MYANMAR ENGINEERS IN JP
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
AgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
Cale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
MarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
Suman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
Tony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
Geertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
Patrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 

More Related Content

What's hot

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Eduardo Laureano
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
Alessandro Cinelli (cirpo)
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
Saif Jerbi
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
Yusuke Muraoka
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
mfrancis
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
土岐 孝平
 

What's hot (8)

Intelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future DirectionIntelligent Cloud Conference - Azure Functions Internals and Future Direction
Intelligent Cloud Conference - Azure Functions Internals and Future Direction
 
PHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the foolPHP is the King, nodejs the prince and python the fool
PHP is the King, nodejs the prince and python the fool
 
Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)Pluggable web app using Angular (Odessa JS conf)
Pluggable web app using Angular (Odessa JS conf)
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
 
Javantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter LehtoJavantura Zagreb 2014 - Vaadin - Peter Lehto
Javantura Zagreb 2014 - Vaadin - Peter Lehto
 
Intro to Amplifyjs by Visnupriya
Intro to Amplifyjs by VisnupriyaIntro to Amplifyjs by Visnupriya
Intro to Amplifyjs by Visnupriya
 
Asynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T WardAsynchronous OSGi – Promises for the Masses - T Ward
Asynchronous OSGi – Promises for the Masses - T Ward
 
怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション怖くないSpring Bootのオートコンフィグレーション
怖くないSpring Bootのオートコンフィグレーション
 

Similar to How to bake delicious cookie (RESTful Meetup #03)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
Pavel Bucek
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
Piergiorgio Lucidi
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
JoEllen Carter
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
TMME - TECH MEETUP FOR MYANMAR ENGINEERS IN JP
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
AgileDenver
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
Cale Hoopes
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Dries Elliott
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
MarcelLanz
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
Arun Gupta
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
Suman Adak
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
Tony Tam
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
Geertjan Wielenga
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
Patrik Suzzi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Oracle JET
Oracle JETOracle JET
Oracle JET
Geertjan Wielenga
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation Platform
All Things Open
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"
Geertjan Wielenga
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the things
cyberzeddk
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014
John Davies
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
ForgeRock
 

Similar to How to bake delicious cookie (RESTful Meetup #03) (20)

WebSockets in Enterprise Applications
WebSockets in Enterprise ApplicationsWebSockets in Enterprise Applications
WebSockets in Enterprise Applications
 
Integrating Alfresco with Portals
Integrating Alfresco with PortalsIntegrating Alfresco with Portals
Integrating Alfresco with Portals
 
Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017Api FUNdamentals #MHA2017
Api FUNdamentals #MHA2017
 
JHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern DeveloperJHipster - Full Stack Platform for the Modern Developer
JHipster - Full Stack Platform for the Modern Developer
 
Api fundamentals
Api fundamentalsApi fundamentals
Api fundamentals
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
What we do with Go
What we do with GoWhat we do with Go
What we do with Go
 
Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014Java EE 7 Soup to Nuts at JavaOne 2014
Java EE 7 Soup to Nuts at JavaOne 2014
 
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkModern Web Framework : Play framework
Modern Web Framework : Play framework
 
Scaling with swagger
Scaling with swaggerScaling with swagger
Scaling with swagger
 
Surviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript EcosystemSurviving Life in the JavaScript Ecosystem
Surviving Life in the JavaScript Ecosystem
 
Eclipse loves-java script
Eclipse loves-java scriptEclipse loves-java script
Eclipse loves-java script
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Oracle JET
Oracle JETOracle JET
Oracle JET
 
Cloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation PlatformCloud Foundry - An Open Innovation Platform
Cloud Foundry - An Open Innovation Platform
 
geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"geecon 2016: "What's Oracle Doing with JavaScript?!"
geecon 2016: "What's Oracle Doing with JavaScript?!"
 
Service stack all the things
Service stack all the thingsService stack all the things
Service stack all the things
 
Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014Big Data in Memory - SpringOne 2014
Big Data in Memory - SpringOne 2014
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
 

More from Toru Yamaguchi

これからの Microservices
これからの Microservicesこれからの Microservices
これからの Microservices
Toru Yamaguchi
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
Toru Yamaguchi
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Toru Yamaguchi
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術
Toru Yamaguchi
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)
Toru Yamaguchi
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割
Toru Yamaguchi
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web ServicesToru Yamaguchi
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorou
Toru Yamaguchi
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platform
Toru Yamaguchi
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platform
Toru Yamaguchi
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and Perl
Toru Yamaguchi
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architectureToru Yamaguchi
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalToru Yamaguchi
 
OpenID Mobile Profile
OpenID Mobile ProfileOpenID Mobile Profile
OpenID Mobile Profile
Toru Yamaguchi
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0
Toru Yamaguchi
 
OpenID 2009
OpenID 2009OpenID 2009
OpenID 2009
Toru Yamaguchi
 
Mobile Openid
Mobile OpenidMobile Openid
Mobile Openid
Toru Yamaguchi
 
Client Side Cache
Client Side CacheClient Side Cache
Client Side Cache
Toru Yamaguchi
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0Toru Yamaguchi
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderToru Yamaguchi
 

More from Toru Yamaguchi (20)

これからの Microservices
これからの Microservicesこれからの Microservices
これからの Microservices
 
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
 
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
Mobage Connect と Identity 関連技術への取り組み - OpenID Summit Tokyo 2015
 
革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術革新的ブラウザゲームを支えるプラットフォーム技術
革新的ブラウザゲームを支えるプラットフォーム技術
 
技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)技術選択とアーキテクトの役割 (要約版)
技術選択とアーキテクトの役割 (要約版)
 
技術選択とアーキテクトの役割
技術選択とアーキテクトの役割技術選択とアーキテクトの役割
技術選択とアーキテクトの役割
 
JSON Based Web Services
JSON Based Web ServicesJSON Based Web Services
JSON Based Web Services
 
Yapc asia 2011_zigorou
Yapc asia 2011_zigorouYapc asia 2011_zigorou
Yapc asia 2011_zigorou
 
ngCore engine for mobage platform
ngCore engine for mobage platformngCore engine for mobage platform
ngCore engine for mobage platform
 
Inside mobage platform
Inside mobage platformInside mobage platform
Inside mobage platform
 
mbga Open Platform and Perl
mbga Open Platform and Perlmbga Open Platform and Perl
mbga Open Platform and Perl
 
Inside mbga Open Platform API architecture
Inside mbga Open Platform API architectureInside mbga Open Platform API architecture
Inside mbga Open Platform API architecture
 
Introduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 RevivalIntroduction OpenID Authentication 2.0 Revival
Introduction OpenID Authentication 2.0 Revival
 
OpenID Mobile Profile
OpenID Mobile ProfileOpenID Mobile Profile
OpenID Mobile Profile
 
Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0Introduction OpenID Authentication 2.0
Introduction OpenID Authentication 2.0
 
OpenID 2009
OpenID 2009OpenID 2009
OpenID 2009
 
Mobile Openid
Mobile OpenidMobile Openid
Mobile Openid
 
Client Side Cache
Client Side CacheClient Side Cache
Client Side Cache
 
The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0The Security of OpenID Authentication 2.0
The Security of OpenID Authentication 2.0
 
Customization of DBIC::Schema::Loader
Customization of DBIC::Schema::LoaderCustomization of DBIC::Schema::Loader
Customization of DBIC::Schema::Loader
 

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 

How to bake delicious cookie (RESTful Meetup #03)

  • 1. How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
  • 2. Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
  • 3. Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
  • 4. My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
  • 6. HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
  • 7. Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
  • 8. Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
  • 9. Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
  • 10. Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
  • 11. The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
  • 12. The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
  • 13. Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
  • 14. Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
  • 15. Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
  • 16. JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
  • 17. JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
  • 18. Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
  • 19. Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
  • 20. Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
  • 21. Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日