Mladen

Replacing Session Management Using Web Tokens

Mladen on November 23, 2017

The idea behind web tokens

Depending on server API authentication model used for identifying users, a server can either keep track of active users and maintain an open session for each of them or API can validate user credentials every time a valid HTTP request is made. Sending bare user data in form of username/password combination alongside each request is considered as a bad practice and should be avoided by all means.

A standard method to distinguish a regular active user request from invalid is by using of JWT - JSON web tokens. The basic idea behind web tokens is that they are hashed strings of data created by the server API and passed to the client after a successful user login. Tokens can carry any piece of data inside their body, including but not limited to the user id, its name, expiration time...

When a client application sends a new HTTP request to server API with token included, it's content is decoded and API can easily determine if the token is valid based on its payload (content) and signature. Although token's signature used for validation is generated by providing a secret key, it's body content is only a base64 representation of data parameters and can be easily decoded.

On the other hand, the approach used by Swift Crypto Tools also provides a simple one-line token generation but instead of just encoding a string of data to bas64 representation, this method also performs data encryption which in turn vastly improves the security of server application using it.

Using Swift Crypto Tools

Before the initial call to generateToken() function, a few variables should be set to values other than defaults.

variable name type default value
SCT_keyDerivationNumberOfRounds UInt32 100000
SCT_initVectorSecretKey String MySuperSecretKey
SCT_defaultSaltString String DefaultSalt

A number of rounds should be kept inside the 100.000 to 500.000 span, while the crypto function initialization vector and default salt string should be set to personal preference. There is also a SCT_derivationKeyLength variable with the default value of 64 which should usually be left unchanged.

After changes to variable defaults are made, a data collection to be encrypted is defined.

let dataCollection: [String: Any] = [
  "key_1": "value_1",
  "key_2": 2,
  "key_n": "value_n"
]

Also, a secret key for hashing algorithm is defined:

let secretKey: String = "YourSecretKey"

A new token is generated by calling:

let token = generateToken(fromCollection: dataCollection, usingSecretKey: secretKey)

The newly generated token is of type Token? that conforms to codable protocol and can be easily passed to client from server.

Later on, when the client send's request to API and includes token with it, it is decrypted and decoded using:

let initialCollection = decodeToken(fromToken: token, usingSecretKey: secretKey)

This one-liner returns dictionary optional [String: Any]

Check Swift Token Generation code on GitHub Swift Crypto Tools pages.