Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to bake
delicious cookie
ToruYamaguchi (@zigorou)
DeNA Co.,Ltd.
Mobage Platform Senior Architect
2014年4月14日月曜日
Self Introduction
• Platform Architect
• RESTful APIs, JSON-RPC APIs design and impl
• OpenSocial JavaScript API design
• ...
Recent implementation
• JSON Pointer (perl)
• JSON::Pointer
• JSON Schema validator (perl)
• JSV (not released to CPAN)
20...
My recent interest
• Guessing the typical making of Web
Application
• Especially, STATEful web application's
session behav...
Cookie???
2014年4月14日月曜日
HTTP Cookie!
• Today, we learn detail of HTTP cookie
behavior
• And more, we learn advanced cookie usage
2014年4月14日月曜日
Host Cookie
• The host cookie is received by Set-Cookie
response header without domain attribute
• The host cookie is shar...
Domain Cookie
• The domain cookie is recieved by Set-
Cookie response header with domain
attribute
• The domain cookie is ...
Host and Domain
Cookie Differences
sender
aaa.example.com bbb.example.com aaa.example.com bbb.example.com
sender
Host Cook...
Typical usage of domain
cookie
• Sharing UserAgent STATE between many
web services have same domain suffix.
• login session...
The path attribute
• The path attribute controls Cookie sending
from UserAgent by URI path
• This feature is very interest...
The path behavior
/foo
/foo/bar
/abc
/
Set-Cookie: xyz=1; path=/foo
2014年4月14日月曜日
Gmail multiple session
by path attribute
personal
work /mail/u/1
/mail/u/0
2014年4月14日月曜日
Transactional session
(1)
• Creating temporary transactional resource
• GET /resources/new
• 302 Found
• Location: /resour...
Transactional Session
(2)
• The path attribute ensures sharding scope
of transactional session is only under the
transacti...
JSON Web Token
• Do you know JWT?
• JWT is JSON Web Token
• JWT includes original JSON Object
• JWT has few registered cla...
JWT encode/decode
#!/usr/bin/env	
  perl
use	
  strict;
use	
  warnings;
use	
  JSON::WebToken	
  qw(
	
  	
  encode_jwt
	...
Using JWT to login
session cookie (1)
• Expires time of JWT is server-side time
• But Cookie's expires time is client-side...
Using JWT to login
session cookie (2)
my	
  $session_value	
  =	
  encode_jwt(decode_json(<<JSON
{
	
  	
  "jti":	
  "1234...
Transparent Session
State Cookie
• In OpenID Connect Session Management (http://
openid.net/specs/openid-connect-
session-...
Thanks
• If you have any question, talk to me in get-
together.
2014年4月14日月曜日
Upcoming SlideShare
Loading in …5
×

How to bake delicious cookie (RESTful Meetup #03)

5,751 views

Published on

Advanced topic of HTTP Cookie usage.

Published in: Technology
  • Be the first to comment

How to bake delicious cookie (RESTful Meetup #03)

  1. 1. How to bake delicious cookie ToruYamaguchi (@zigorou) DeNA Co.,Ltd. Mobage Platform Senior Architect 2014年4月14日月曜日
  2. 2. Self Introduction • Platform Architect • RESTful APIs, JSON-RPC APIs design and impl • OpenSocial JavaScript API design • Native SDK backend design • Activity Streams backend design and impl • Mobage Connect (OAuth 2.0 and OpenID Connect Server) design • JavaScript SDK design • etc ... • Perl Monger • https://metacpan.org/author/ZIGOROU • Profile • @zigorou (twitter) 2014年4月14日月曜日
  3. 3. Recent implementation • JSON Pointer (perl) • JSON::Pointer • JSON Schema validator (perl) • JSV (not released to CPAN) 2014年4月14日月曜日
  4. 4. My recent interest • Guessing the typical making of Web Application • Especially, STATEful web application's session behavior 2014年4月14日月曜日
  5. 5. Cookie??? 2014年4月14日月曜日
  6. 6. HTTP Cookie! • Today, we learn detail of HTTP cookie behavior • And more, we learn advanced cookie usage 2014年4月14日月曜日
  7. 7. Host Cookie • The host cookie is received by Set-Cookie response header without domain attribute • The host cookie is shared only the sender domain 2014年4月14日月曜日
  8. 8. Domain Cookie • The domain cookie is recieved by Set- Cookie response header with domain attribute • The domain cookie is shared to sender domain and sender sub-domains. 2014年4月14日月曜日
  9. 9. Host and Domain Cookie Differences sender aaa.example.com bbb.example.com aaa.example.com bbb.example.com sender Host Cookie Domain Cookie Set-Cookie: foo=1; Set-Cookie: foo=1; domain=example.com 2014年4月14日月曜日
  10. 10. Typical usage of domain cookie • Sharing UserAgent STATE between many web services have same domain suffix. • login session • tracking 2014年4月14日月曜日
  11. 11. The path attribute • The path attribute controls Cookie sending from UserAgent by URI path • This feature is very interesting usage by many services • Especially Google+ SignIn 2014年4月14日月曜日
  12. 12. The path behavior /foo /foo/bar /abc / Set-Cookie: xyz=1; path=/foo 2014年4月14日月曜日
  13. 13. Gmail multiple session by path attribute personal work /mail/u/1 /mail/u/0 2014年4月14日月曜日
  14. 14. Transactional session (1) • Creating temporary transactional resource • GET /resources/new • 302 Found • Location: /resources/{resId} • Set-Cookie:TSID=xyz123; path=/ resources/{resId} • Continue process until finishing transaction 2014年4月14日月曜日
  15. 15. Transactional Session (2) • The path attribute ensures sharding scope of transactional session is only under the transactional resource endpoint • Managing STATE by URI !!! • Secure • Expiration friendly 2014年4月14日月曜日
  16. 16. JSON Web Token • Do you know JWT? • JWT is JSON Web Token • JWT includes original JSON Object • JWT has few registered claims (≒vocabulary) • issuer, audience, subject • issued at, expired at • etc ... • JWT supports signature (JWS) and encryptiong (JWE) 2014年4月14日月曜日
  17. 17. JWT encode/decode #!/usr/bin/env  perl use  strict; use  warnings; use  JSON::WebToken  qw(    encode_jwt    decode_jwt ); my  $jwt  =  encode_jwt({  foo  =>  1  },   "secret"); my  $json  =  decode_jwt($jwt,  "secret"); 2014年4月14日月曜日
  18. 18. Using JWT to login session cookie (1) • Expires time of JWT is server-side time • But Cookie's expires time is client-side time • And more, Server sometimes can confirm expiration without lookup session db • Verify UserAgent • Embed UA hash value to JWT • Verify session • It is just verification of JWT signature. 2014年4月14日月曜日
  19. 19. Using JWT to login session cookie (2) my  $session_value  =  encode_jwt(decode_json(<<JSON {    "jti":  "1234567",    "iss":  "https://authz.example.com",    "aud":  "https://authz.example.com",    "sub":  "https://profile.example.com/zigorou",    "https://schema.example.com/session":  {        "ua_hash":  331365789,        "remote_addr_ipv4_hash":  595682001,        "tracking_cookie_hash":  1361976131    },      "iat":  1397293921    "exp":  1397380321 } JSON ),  "secret"); 2014年4月14日月曜日
  20. 20. Transparent Session State Cookie • In OpenID Connect Session Management (http:// openid.net/specs/openid-connect- session-1_0.html) specification • Using cookie without HttpOnly attribute, It provides Single Logout mechanism between Authorization server and client application. • If you are interested in it, please read the specification • Mobage Connect (my current work) supports it 2014年4月14日月曜日
  21. 21. Thanks • If you have any question, talk to me in get- together. 2014年4月14日月曜日

×