Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce latency by including refresh challenge #29

Open
dickhardt opened this issue Apr 6, 2024 · 1 comment
Open

Reduce latency by including refresh challenge #29

dickhardt opened this issue Apr 6, 2024 · 1 comment

Comments

@dickhardt
Copy link

As I understand it, refreshing the cookies requires the browser to acquire a new challenge, sign it, and then present it

While the server can respond with a Sec-Session-Challenge header at any time, the logic to generate the challenge will be at the /securesession endpoint, not at other server end points

when responding to POST /securesession/start or POST /securesession/refresh, the server could include Sec-Session-Reffresh headers that have the same content as the Sec-Session-Challenge headers -- and the challenge and optional authorization would be used on the next refresh, removing one round trip in a refresh cycle
@mattjm
Copy link
Contributor

mattjm commented May 2, 2024

So a similar pattern to rotating refresh tokens. Folks were discussing other options for reducing round trips in #12--you could add something like this to the simplified flow proposed there. It might further complicate handling concurrency once you move the logic out of the "special" registration endpoints but it shouldn't be insurmountable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dickhardt @mattjm