0

I have a use case like this and I am wondering if this solution is a good practice or not.

Say I have a website called dashboard.com and this is only for US region. When users login here, I am storing their session into USRedis instance. However this dashboard has two buttons named USWebApp and EUWebApp.

Assume that this is the UI for dashboard.com (pardon for text based UI). The doted elements indicate html buttons. So I have two buttons named USWebApp and EUWebApp

http://www.dashboard.com

----------    ----------
|USWebApp|    |EUWebApp|
----------    ----------

Once user is logged into dashboard.com and clicks USWebApp, I pass the session cookie to USWebApp and USWebApp calls USRedis to validate the session. If session is not valid, then we redirect the user back to dashboard.com (and user logs in again by typing credentials).

On the contrary, user can click EUWebApp. Again I am passing dashboard.com's session cookie to EUWebApp. However EUWebApp checks EURedis to validate this session. However when user logged into dashboard.com I only persisted their session to USRedis. So when EUWebApp tries to validate this session by looking in EURedis, it won't find the session since I never wrote to EURedis when user logged into dashboard.com (main site) in the first place to begin with.

Two solutions that I can think to solve this

1) EUWebApp should talk to only USRedis, to validate the session instead of talking to EURedis or

2) when user logs into dashboard.com I should store their session in both USRedis and EURedis. Therefore USWebApp can use USRedis while EUWebApp can use EURedis to validate the user session.

What do you guys think about this? Especially the 2nd approach? Is that a good practice?

Apart from these two approaches, do you know any other solutions for my architecture?

More information in case interested: (not really needed for this question) I am building a main site and integrating with a SAML IDP(Identity provider). Think of dashboard.com as your company's main page where you have access to multiple apps like word, splunk, teams, etc.

theprogrammer
  • 109
  • 2
  • Why dont you use a role based access system. For example us users are member of "usUsers" and EU users are member of "euUsers" and then you handle access in your based on role membership. – Mr Zach Dec 06 '19 at 12:12
  • yes thats what I am doing. The idp sends those `usUsers` and `euUsers` roles in the saml response and based on that I either disable `USWebApp` or `EUWebApp` buttons. However if they have access to both, then we need both apps and hence the question, should I need to write to 2 redis instances so when user clicks `USWebApp`, the `USWebApp` can validate with `USRedis` and when user clicks `EUWebApp`, `EUWebApp` can validate their session with `EURedis`. – theprogrammer Dec 06 '19 at 14:38
  • Then i cant understand why you need a usWebApp and antoher euWebApp. Your app logic should handle the case where users have access to both regions. Or are you doing this because you are running your app in two different location? – Mr Zach Dec 06 '19 at 21:00
  • Assume that those apps are not mine. they are maintained by other team for instance. All I maintain is the dashboard app. I save session to redis and send a cookie with redis id to respective apps and they should validate if this session is valid. However the question is should I store in two places since the apps that I might serve(EUWebApp or USWebApp in this case) maybe region based. – theprogrammer Dec 06 '19 at 21:23
  • Then its not so easy to give a good answer. Need to know how these apps are handling the aurhentication, how this is stored in cookies and how its encrypted. – Mr Zach Dec 07 '19 at 10:32
  • I am still not sure why those things matter for this answer. I could be using any tech stack or any authentication mechanism. But once authentication happens they land on my page. Thats when the question's premise starts. The details of transforming cookie to redis id or building security context in my app from redis is completely optional to whatever tech stack of language I choose. However those are details that should not be needed to answer this question. At least thats what I believe. – theprogrammer Dec 07 '19 at 20:16
  • If you Just want to store the session in two places you should only do that in the cases where the user should have access to both sites. If not, save it only to the site where the user have access to. Once you receive the answer from the idp and you verify it and get the roles the user is member of, it might be better to Just redirect the user directly to the site they belong to based on the role they are member of. If they are member of both sites, redirect them to a Page where they can choose which site to go to. You can also pass the saml response when the user click on button 1 or 2. – Mr Zach Dec 07 '19 at 23:50
  • The thing is I dont want to pass saml response coz integrating with saml is a pain and I dont want the apps that I serve to do that. Hence I am passing a token which they can check with redis. Anyway thanks and right now I am doing exactly what you said, I just wasnt sure if it was right to do so. – theprogrammer Dec 08 '19 at 01:07

0 Answers0