A Plugin Released: the cookie-based session storage

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

A Plugin Released: the cookie-based session storage

Masatoshi Hayashi
Hello,

I've released a grails plugin that allows you to store the session data in a cookie like Rails or Play!

https://github.com/literalice/grails-cookie-session

It makes a grails application more stateless.
So you could more easily scale the application on a clustered environment (including some cloud platforms like Heroku).

This cookie-based session storage has a issue against the replay attacks.
Even if someone sniffs a user's cookie, and replays the cookie to your application,
the application cannot detect this. (they may log in to your application or ...).

I'm not sure how Play! or some other frameworks are avoiding this issue.

I'd be glad if I could get some opinions on the plugin. Thank you.

--
Masatoshi Hayashi
[hidden email]

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: A Plugin Released: the cookie-based session storage

Sebastien Blanc
Nice one !
Congrats !
Any plans to provide the "localStorage" version ? So that the cookie won't be use at all ?
Seb
 

2012/3/3 Masatoshi Hayashi <[hidden email]>
Hello,

I've released a grails plugin that allows you to store the session data in a cookie like Rails or Play!

https://github.com/literalice/grails-cookie-session

It makes a grails application more stateless.
So you could more easily scale the application on a clustered environment (including some cloud platforms like Heroku).

This cookie-based session storage has a issue against the replay attacks.
Even if someone sniffs a user's cookie, and replays the cookie to your application,
the application cannot detect this. (they may log in to your application or ...).

I'm not sure how Play! or some other frameworks are avoiding this issue.

I'd be glad if I could get some opinions on the plugin. Thank you.

--
Masatoshi Hayashi
[hidden email]

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: A Plugin Released: the cookie-based session storage

burtbeckwith
In reply to this post by Masatoshi Hayashi

Looks great. Are you going to do a 0.1 release of the plugin? I'd like to try it out on Heroku.

 

Burt 

 


On March 2, 2012 at 11:51 PM Masatoshi Hayashi <[hidden email]> wrote:

> Hello,
>
> I've released a grails plugin that allows you to store the session data in a cookie like Rails or Play!
>
> https://github.com/literalice/grails-cookie-session
>
> It makes a grails application more stateless.
> So you could more easily scale the application on a clustered environment (including some cloud platforms like Heroku).
>
> This cookie-based session storage has a issue against the replay attacks.
> Even if someone sniffs a user's cookie, and replays the cookie to your application,
> the application cannot detect this. (they may log in to your application or ...).
>
> I'm not sure how Play! or some other frameworks are avoiding this issue.
>
> I'd be glad if I could get some opinions on the plugin. Thank you.
>
> --
> Masatoshi Hayashi
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>     http://xircles.codehaus.org/manage_email
>
>
Reply | Threaded
Open this post in threaded view
|

Re: A Plugin Released: the cookie-based session storage

Masatoshi Hayashi
In reply to this post by Sebastien Blanc
Hello, Thank you for looking at the plugin.

 > Any plans to provide the "localStorage" version ? So that the cookie won't
 > be use at all ?

It sounds great.
But now I'm not sure how to access the browser's localstorage as the session store from a servlet...
And maybe the number of the supported browser is relatively few.
I think it's difficult for me to provide the "localStorage" version now.


(2012/03/03 15:17), Sebastien Blanc wrote:

> Nice one !
> Congrats !
> Any plans to provide the "localStorage" version ? So that the cookie won't
> be use at all ?
> Seb
>
>
> 2012/3/3 Masatoshi Hayashi<[hidden email]>
>
>> Hello,
>>
>> I've released a grails plugin that allows you to store the session data in
>> a cookie like Rails or Play!
>>
>> https://github.com/literalice/grails-cookie-session
>>
>> It makes a grails application more stateless.
>> So you could more easily scale the application on a clustered environment
>> (including some cloud platforms like Heroku).
>>
>> This cookie-based session storage has a issue against the replay attacks.
>> Even if someone sniffs a user's cookie, and replays the cookie to your
>> application,
>> the application cannot detect this. (they may log in to your application
>> or ...).
>>
>> I'm not sure how Play! or some other frameworks are avoiding this issue.
>>
>> I'd be glad if I could get some opinions on the plugin. Thank you.
>>
>> --
>> Masatoshi Hayashi
>> [hidden email]
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>     http://xircles.codehaus.org/manage_email
>>
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: A Plugin Released: the cookie-based session storage

Masatoshi Hayashi
In reply to this post by burtbeckwith
Thank you for being interested in the plugin.

If I can, I'd like to release the plugin to the official plugin repository.
Now I've found some issues with the plugin.
So after fixing those, I'm going to release the first version of the plugin in a few days.

Masatoshi

(2012/03/03 16:56), Burt Beckwith wrote:

> Looks great. Are you going to do a 0.1 release of the plugin? I'd like to
> try it out on Heroku.
>
> Burt
>
>
>
> On March 2, 2012 at 11:51 PM Masatoshi Hayashi<[hidden email]>
> wrote:
>
>> Hello,
>>
>> I've released a grails plugin that allows you to store the session data
> in a cookie like Rails or Play!
>>
>> https://github.com/literalice/grails-cookie-session
>>
>> It makes a grails application more stateless.
>> So you could more easily scale the application on a clustered environment
> (including some cloud platforms like Heroku).
>>
>> This cookie-based session storage has a issue against the replay attacks.
>> Even if someone sniffs a user's cookie, and replays the cookie to your
> application,
>> the application cannot detect this. (they may log in to your application
> or ...).
>>
>> I'm not sure how Play! or some other frameworks are avoiding this issue.
>>
>> I'd be glad if I could get some opinions on the plugin. Thank you.
>>
>> --
>> Masatoshi Hayashi
>> [hidden email]
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>      http://xircles.codehaus.org/manage_email
>>
>>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: A Plugin Released: the cookie-based session storage

Eduard
Hi

I am an old Rails dev, working with grails since last year. I need something like that for Grails app that will go on prod next month.
If you need any help with the development/testing of the plugin, let me know, I want to help.