Detecting session hijacking using rotating refresh tokens
by Rishabh Poddar
Session hijacking is one of the oldest, yet unsolved, attack vectors to gain unauthorised access to a user’s account. As apps are employing more secure login techniques like 2FA or passwordless login, we expect session based attacks to grow in the coming years.
As a recent example, many Youtube influencers’ accounts were hijacked via a malware that stole their session tokens. This enabled the attackers to gain access to the youtubers’ accounts even though they had 2FA enabled.
Most commonly, developers resort to IP address / device fingerprinting patter matching in order to suspect token theft. However, this has the problem of many false positives leading to really bad UX.
I will be discussing a method called ""rotating refresh tokens"" to better detect token theft. This is also a method recommended by the IETF in their RFC 6819. Whilst this can be conceptually straightforward to understand, implementing it reliably and in a way that scales is non trivial.
Specifically, there are many race conditions and network failure issues that need to be solved for. To make this approach scale (in terms of time and space complexity) as well as traditional methods, we also need to use a unique token formation technique which I will be discussing.
My talk will be inspired by my blog post: https://supertokens.io/blog/the-best-way-to-securely-manage-user-sessions