HI Welcom to yet another ramble on security
SO one of the main cons of tokens is the case where an end user has their tokens momentaraly stolen by a malicios site. If we wanted to detect and mitigate this one idea is to role the token upon every request. We would need to caluclate the propagation delay of a user.
But theoretical if a user maintains a singel endpoint.
Or posibly durable object seasion.
Then when the user comunicates there is a token passed with each request.
this token contains an incrementing id and is encoded using a jwt algorithm. it should contain the user id, the most basic information. and the request number. an unsigned int. Each request is authenticated by a seasion id.
When a seasion is created it has a session_id, max_time, start_time, user_id, req_num=0, And there is anencoded jwt saved in a cookie with this information. A new id is made as wellas the expiry time in ms.
et = encryptin time dt = decryption time nt = network time
We must perform the decryption each request anyway.
We can cache this for improved performance but so can a user.
By modifying the harder each request we can prevent an third party from using the seasion. as they will fuck it up and cause a 404 and loging
by maintaining one active connection per season we help mitigate season theaft as and stolen cookie when used will be out of sequence and return a 404 at auth the normal response should suggest you log in and view you project tree for all availible resorces
Realy normaly we need to Recieve validate decrypt increment encrypt send.
By not rotating the number we could throreticaly save the secon encryption time If our backend seasion is stable we could also save the decrypted data and bring the token size down to a hash of the id and request number. this has to be cryptograpicaly random to not leak the request number. THis number is only incremented for get requests. THis allows a site to request multiple backend apis in unison with the same token. This should minimixe the requeitments on the decryp and encryp times
Since hash does not need to be decoded just compared to the seasion value. THen the number is taken from the durable object.