What is a Session Token?
Session tokens are essential components of session management in web applications. After a user logs in, a session token is generated to maintain and manage the user’s state with the server. These tokens are crucial for stateless protocols like HTTP, where each request-response pair is independent and does not inherently maintain the state of user sessions. Typically, most tokens are stored as a cookie in the user’s browser, however, they can also be sent in the URL as a paramater. It is worth noting, passing the token via a parameter does have ramifications for security.
To maintain security, session tokens must be handled with care. They should be randomly generated using a secure method to ensure that they cannot be easily guessed or replicated, and they must be protected from interception or theft. If an attacker acquires a user’s session token, they can potentially take over the session and gain access to the user’s account, a process known as session hijacking.
Given the sensitive nature of session tokens, any security breaches involving them can lead to significant vulnerabilities, such as unauthorised access and data breaches. Therefore, they play a pivotal role in safeguarding user sessions and upholding the overall security of web applications.
Token types
Session Tokens come in many forms, each with unique properties and reasons for using. Here are the different types of session tokens that are commonly used, each serving unique purposes and applications:
Traditional Session Tokens
The below tokens are used specifically to maintain a user’s session state with a server:
Randomly Generated Tokens
These are the most common type of session tokens used today, typically they are randomly generated strings, generated by the server when a user authenticates with the server. These tokens are supposed to be randomly generated and complex enough so that they are difficult to guess (Not always the case). Randomly generated tokens are often stored as Session Cookies or Session Variables.
Below is an example of a Randomly Generated Token
Cookie: session_id=3e7e6f7e85d4f8c290b6a34f6039abd5; Path=/; HttpOnly; SecureOpaque Tokens
This type of token does not contain any meaningful data. They are reference tokens often used to point to server-side stored session information. This style of token limits the amount of data exposure on the client-side.
Below is an example of an Opaque Token:
Authorization: Bearer 029bf415726b4d24901c893739b105fcTokens used for Authentication and Authorisation:
These tokens may be used alongside session tokens, for controlling access to specific resources:
JWT (JSON Web Tokens)
JWT tokens are extremely common these days, with many developers using them in modern applications. This type of token is the industry-standard method for representing a claim been two respective parties (RFC7519). Unlike Opaque Tokens, JWTs are self-contained and can store information about the user and the session. There are many security implications of JWT tokens, here is a fantastic cheat sheet to help you understand. Typically a JWT token is composed of a header, payload and a signature. JWT tokens can be stored in a cookie, or local storage.
Below is an example of an JSON Web Token:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cToken-based Authentication Tokens
These tokens are often used in stateless apps, particularly in RESTful services where each request needs to be authenticated independently. Think OAuth access tokens of API keys, which fall under this specific category of token. Token-based authentication tokens provide a secure way to authenticate requests without sending the username and password on each request.
Below is an example of a Token-based Token:
x-api-key: 12345678-abcd-9012-efgh-34567890ijklRefresh Tokens
This type of token is often used with the common OAuth 2.0 protocol, refresh tokens are used to obtain a new access token. A typical scenario would be an access token which has a short expiration token (Such as 30 minute for example).
Below is an example of how a refresh token could be used using OAuth:
POST /oauth/token HTTP/1.1
Host: authorization-server.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&
refresh_token=INSERT_REFRESH_TOKEN_HERE&
client_id=INSERT_CLIENT_ID_HERE&
client_secret=INSERT_CLIENT_SECRET_HERE
Key Characteristics:
- Acts as an identifying marker for ongoing user sessions
- Is generated upon user authentication
- Must be securely created and protected during its lifecycle
- Integral to managing sessions over stateless protocols
Examples:
- Real-World Example: An e-commerce site assigns a session token to a customer upon login, which allows the site to keep their shopping cart consistent as they browse different pages.
- Hypothetical Scenario: A web application enforces a secure session token regime, where any time a user logs in or their session refreshes, a new token is generated and the old one is invalidated, making stolen tokens rapidly useless.
Related Terms:
- Session Management: The overarching process of tracking and managing user interactions with a web service, which relies on session tokens.
- Session Hijacking: An attack where a threat actor takes control of a user’s session by acquiring their session token.
- HTTP: The stateless protocol that requires session tokens to keep track of user interactions with web servers.
- Session Cookie: The primary method for storing session tokens on a user’s system, which requires secure attributes to prevent security risks.
