Timeline for Is it a good practice to store session in two different places?
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 8, 2019 at 1:07 | comment | added | theprogrammer | The thing is I dont want to pass saml response coz integrating with saml is a pain and I dont want the apps that I serve to do that. Hence I am passing a token which they can check with redis. Anyway thanks and right now I am doing exactly what you said, I just wasnt sure if it was right to do so. | |
| Dec 7, 2019 at 23:50 | comment | added | Mr Zach | If you Just want to store the session in two places you should only do that in the cases where the user should have access to both sites. If not, save it only to the site where the user have access to. Once you receive the answer from the idp and you verify it and get the roles the user is member of, it might be better to Just redirect the user directly to the site they belong to based on the role they are member of. If they are member of both sites, redirect them to a Page where they can choose which site to go to. You can also pass the saml response when the user click on button 1 or 2. | |
| Dec 7, 2019 at 20:16 | comment | added | theprogrammer | I am still not sure why those things matter for this answer. I could be using any tech stack or any authentication mechanism. But once authentication happens they land on my page. Thats when the question's premise starts. The details of transforming cookie to redis id or building security context in my app from redis is completely optional to whatever tech stack of language I choose. However those are details that should not be needed to answer this question. At least thats what I believe. | |
| Dec 7, 2019 at 10:32 | comment | added | Mr Zach | Then its not so easy to give a good answer. Need to know how these apps are handling the aurhentication, how this is stored in cookies and how its encrypted. | |
| Dec 6, 2019 at 21:23 | comment | added | theprogrammer | Assume that those apps are not mine. they are maintained by other team for instance. All I maintain is the dashboard app. I save session to redis and send a cookie with redis id to respective apps and they should validate if this session is valid. However the question is should I store in two places since the apps that I might serve(EUWebApp or USWebApp in this case) maybe region based. | |
| Dec 6, 2019 at 21:00 | comment | added | Mr Zach | Then i cant understand why you need a usWebApp and antoher euWebApp. Your app logic should handle the case where users have access to both regions. Or are you doing this because you are running your app in two different location? | |
| Dec 6, 2019 at 14:38 | comment | added | theprogrammer |
yes thats what I am doing. The idp sends those usUsers and euUsers roles in the saml response and based on that I either disable USWebApp or EUWebApp buttons. However if they have access to both, then we need both apps and hence the question, should I need to write to 2 redis instances so when user clicks USWebApp, the USWebApp can validate with USRedis and when user clicks EUWebApp, EUWebApp can validate their session with EURedis.
|
|
| Dec 6, 2019 at 12:12 | comment | added | Mr Zach | Why dont you use a role based access system. For example us users are member of "usUsers" and EU users are member of "euUsers" and then you handle access in your based on role membership. | |
| Dec 5, 2019 at 18:10 | review | First posts | |||
| Dec 18, 2019 at 17:23 | |||||
| Dec 5, 2019 at 18:06 | history | asked | theprogrammer | CC BY-SA 4.0 |