Information Security Asked on January 20, 2021
I am evaluating the above service design where I want to have mechanism to pass a user through multiple microservices. In this simple example, the user goes through a sign-up process and once done, the user is redirected to another microservice (B).
The session-id for microservice A is stored in a session store. However, when the user is redirected to microservice B then a new session-id is generated by microservice B and so this is stored as well in the session store.
This allows the user to traverse back and forth between microservices. Are there any security implications with this design?
The biggest possible security implication I can see with the details presented is that you might accidentally DoS your visitors if every individual service has its own session, and therefore session cookie. Once you hit the cookie limit (typically 4096 bytes), browsers will start ignoring cookies, possibly arbitrary ones, and that will cause sessions to start being dropped.
Another possible vulnerability is that if you have to examine multiple sessions in order to do work, it's possible that a malicious user might send a large number of different session ids, real or otherwise, and force your services to examine each one, which at best would cost CPU cycles (and thus money), and at worst cause a wider system DoS.
Both of these would be mitigated by only having a single session for the user.
Answered by Mike Caron on January 20, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP