A study of session sharing across systems that use cookie-based authentication

For a long time I have wanted to code a solution to share the same session between different systems that rely on session and cookie authentication, not tokens, JWT or any other oAuth solution.

During my studies, I programmed a Symfony bundle called jpm/session-sharing-bundle that allowed me to create a PoC to test my proposal. Visit my PoC video demonstration to see how it works with a "real" example.

Summary of the idea concept

But to give you an idea of how it works, it's pretty simple:

1. the solution is that the middleware intercepts the requests to create and restore the session when needed.
2. the data transfer is cryptographic with Sync key, checksum and permission list on both sides.
3. only the SessionId is transferred, so to recover the data all connected units should use the REDIS connection.

Flow of data inside the communication

1. The unknown user access http://remote.test
2. The request is intercepted by the SessionManagerSubscriber the user is redirected (HTTP 302) to the identity provider using a callback info
3. The IDP (Host) receives a GET request: http://host-idp.test/login?callback=aHR0cDovL3JlbW90ZS50ZXN0.
4. The RemoteAuthSubscriber from IDP (Host) intercepts the call, decodes the callback parameter, extracts the domain, and confirms if it belongs to the allowed list of domains (JPM_KNOWN_REMOTE_HOSTS)
   • if not: it will do/ask the auth but will not redirect to the unknown requester.
5. Once the request is validated, the IDP verifies if the user has a valid session open.
   • if not: the auth form from IDP is shown to the user and the callback parameter is kept.
6. Once the session is created (or exists) the sessionID is encrypted using the sync key ad the defuse lib.
7. Now the user is redirected back to the callback URL with the token param holding the encrypted value.
8. Now the remote app receives a request: http://remote.test?token=ZGVmNTAyMDAwYjliZDI5ODU5NGQxYzQwYTE...
9. Again the SessionManagerSubscriber intercepts the request but now once it finds the token it decodes, decrypts, restores the session and finally lets the identified user access the resource.
   • if the given session is not valid/found: a 403 is thrown and stops the loop. Now the remote app receives a request: http://remote.test?token=ZGVmNTAyMDAwYjliZDI5ODU5NGQxYzQwYTE... Again the SessionManagerSubscriber intercepts the request but now once it find the token it decodes, decrypts, restores the session and finally let the identified user access the resource. if the given session is not valid/found: a 403 is throw and stops the loop.

Note of responsibility

A note of responsibility has been added to the library README, but I will post again here. This bundle and the POC were developed as a study case. So is not ready or recommended to use in production, but it can help you to expand and develop your own way to do.