Managing session in REST application after authentication with OpenID

Question

I am building an RESTful application. I plan to use OpenID for user authentication. Currently, I am using LightOpenID for OpenID authentication and I am able to authenticate my users.

My question is what next? after authentication!

1. Since, its a REST application, I will have to use Cookies for session management.. right?
2. What values do I store in Cookies?
3. How do I validate the session and user logout?

I did search for examples with regard to implementation but all examples stop at authentication and do not talk about session management! I would like to know how you manage the sessions in your applications and if possible best practices and concerns in implementing an approach.

If you are aware of any reference implementations please provide me the link.

Answer 1

Important:

First some important security advices you should keep in mind:

• You should also read about http-only cookies and how to configure them properly using PHP.

  • You should be wary of session_fixation and protect yourself against it using session_regenerate_id. I also find there are some interesting countermeasures at the wikipedia of session fixation.

Your questions:

Since, its a REST application, I will have to use Cookies for session management.. right?

using sessions would be safest(best), but of course there are a lot more solutions to session management. But if you use cookies only(no php $_SESSION) then you should of course encrypt your cookie. But I would advice you to just use $_SESSION.

What values do I store in Cookies?

You don't store anything in the cookies. $_SESSION creates the cookie(automatically => you don't have to think about it) for you which is unique. Everything you put into $_SESSION is stored on the server so the user can not read this. You could store whatever information you like to store in the session, but keep in mind that it is best to NEVER store sensitive data(pin numbers, creditcard, passwords, etc) in your application is possible. I have already mentoined that your $_SESSION is stored on the server, but the cookie which has an unique identifier to match with the session stored on disc(or database) could be guessed(spoofed).

How do I validate the session?

You validate session by inspecting the information stored inside the session. I assume you store at least $_SESSION['id'] = $openid->identity; inside your session. Keep in mind that after the user logs in to your website using openid you should regenerate your session(id) to prevent session fixation.

How do I logout a user?

you just call session_destroy and all the data stored inside the session will be deleted.

---

I hope this explained all your questions.

PS:

A session in the cookie jar gives you a basic introduction to sessions(although I don't see it mention session fixation :$).