Race condition for "Remember Me" module

[frederikhors]

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#210).

I'm building a SPA (single page application) and I have multiple parallel javascript requests to my server.

I'm also using the amazing Remember me module which I think has an "issue": is not a bug, is not a problem, is a missing feature!

DESCRIPTION

Let's say I have a rm (remember me) cookie saved in my browser along with the session one.

If the session cookie expires and my SPA sends multiple requests to my server with rm cookie only the first one is correctly authenticated.

The second one (and so on) can't find anymore it's token in the storer (deleted before in the first request flow).

ALGORITHM

I'm using the same algorithm you can find in authboss-sample: https://github.com/volatiletech/authboss-sample/blob/master/storer.go#L333-L352.

RELATED QUESTIONS

• https://stackoverflow.com/questions/5948918/race-condition-for-persistent-remember-me-cookies
• https://stackoverflow.com/questions/13613526/how-to-combine-a-persistent-login-cookie-with-parallel-ajax-requests
• https://stackoverflow.com/questions/17425275/how-to-fix-invalid-remember-me-token-series-token-mismatch-error
• Session lost due to concurrent requests with "Remember Me" symfony/symfony#28314
• https://stackoverflow.com/questions/44237177/remember-me-fails-when-two-or-more-requests-come-at-the-same-time-without-spri

QUESTION

As you can see this is not a problem with authboss, but WE ARE THE (HTTP) AUTH BOSSes!

What can we suggest to the world?

Can we solve it somehow?

[frederikhors]

I thought of a solution, but I don't know if it is safe enough for a medium security application.

I share it with you now to discuss it.

When a token is used it is marked with a time.Now().

All other calls still find it and mark the time.Now() too.

A background task takes care of removing from the DB tokens that have been used for more than 10 seconds.

I can also do this in memory but I need stateless app.

What do you think, @aarondl?

[aarondl]

Hi @frederikhors. Yes I can see how this could be an issue.

Adding background processes to authboss seems like a bad thing to do. Currently it's all just handlers and nothing runs in the background. In that way it's very predictable and doesn't do anything surprising.

You can however implement this functionality in your own storer:
https://github.com/volatiletech/authboss/blob/master/storage.go#L109

If when this method is called in your database you mark the token as valid for a certain period of time (say the next 10s), then subsequent calls to UseRememberToken can succeed for that period.

This is of course a security risk because the entire point of having a one-time use token on the client is to prevent any kind of replay attack where an attacker could send the same payload and become logged in themselves. So this is another reason we wouldn't want to solve it directly in Authboss but let consumers of the library choose their level of risk by implementing this or not inside their storers.

I'd be happy to consider other proven and secure solutions to this though.