Getflv Open Source Alternative

What follows is a 2 part series on session management — inspired by extensive conversations with over 70 developersand our own intensive research. We will explore different session management practices, identify issues andconverge on a solution to these issues. Through it all, I hope to leave you with clarity on deciding how to manageuser sessions (and auth tokens) for your application. In 20 minutes, we summarise all the important information ittook us hundreds of hours to obtain and document.

This is part 1 in a two-part series on session management.

Mar 13, 2019 GetFLV is a decent video downloader software. In addition to downloading videos from virtually any source, it can convert and optimize your video files. Its more advanced options may initially prove challenging for novices, but downloading and converting videos is as easy as browsing the internet. GetFLV is an all-in-one program that lets you do different things with video files in FLV format like play, edit, and download them from the most popular video storage websites. GetFLV divides its interface in various sections that correspond to the various things you can do: browser, download manager, converter of FLV to other video file.

Part 1: Introduction to session management, analysis of most commonly used session flows,and best practices

Part 2: Analysis of a new, open source session flow thatis secure and easy to integrate into existing systems — provided by SuperTokens

Specifically, in part 1, we cover

Note:Do not confuse session management with OAuth, as the latter is a protocoldesigned only for the purpose of delegation. Session management, for the purpose of this article, is about howauth tokens are handled, stored and changed during an active session — whether it be for OAuth flows, or forserver-client session flows.

Why is session security important?

Session security is an important consideration in the design of any system that requirescommunication between a server and a client. Improper security can lead to user accounts being vulnerable tounauthorized access. OWASP (Open Web Application Security Project — leading authority for security) considers theimproper implementation of authorisation / authentication as the second biggest risk toapplication security. Several notable hacks illustrate this point:

Getflv

Getflv Download

  • The Docker hub database hack earlier this year resulted in stolen Github accesstokens. Source
  • Gitlab had a vulnerability where all its user’s auth tokens were exposed in the URLs,had no expiry time and were susceptible to brute force attacks due to their short length. Source
  • A software bug made it possible to steal access tokens — affecting 90 millionFacebook accounts. Source
  • Youtube influencers’ accounts compromised for several days via session token theft tocompletely hijack their account and change their video content. The tokens were stolen via a malware installedon the victim’s computer. Source

It is tricky, time-consuming and expensive to correctly implement user session management.According to an a16z operating partner (toptier VC) and former Box CSO (Chief Security Officer), authentication and authorisation is the number onespending cost for organisations when it comes to their security budget. Source

This is the tip of the iceberg but we hope it is enough for anyone to realize that they couldbe the next Titanic if they do not correct their course.

JWTs vs Opaque accesstokens

We’ll briefly explore the two predominant types of tokens that are used in sessionmanagement. Several of the flows we discuss require an understanding of these tokens.

JSON Web Tokens (JWT)

  • Each JWT contains specific information that can be interpreted by any party that has that token. Forexample, this information can contain the user ID of the user for whom it was issued.
  • An advantage of using JWTs is scalability as the backend does not need to do a database lookup for everyAPI call.
  • The drawback is that revoking a single token on demand (before it expires) can be difficult if methods likeblacklisting are not used (which impacts the scalability of the solution). However, onecan revoke all tokens by changing the signing key.

Opaque Tokens

  • These are random strings which act as pointers to information that is held only by the system that issuesthem.
  • These require a database/cache lookup each time they are used.

While these two token types have different properties, theft of either type can lead tounauthorised access to a user’s account.

Getflv Open Source Alternative

Common attacks on sessions

Auth tokens are stored on the frontend and the backend and are frequently sent over thenetwork (depending on the session flow). As such, they are vulnerable to several types of attacks.

  • OAuth token theft
  • CSRF
  • Session fixation
  • Social Engineering / physical access

While it may seem that these attacks are unlikely, it is important to take sessionsecurity seriously and deploy appropriate measures. The vulnerability of the system is based on thecumulative probabilities of all the types of attacks.

Further on, we discuss how each of these attacks could lead to token theft and we explorebest practices to mitigate against these types of attacks.

To keep tokens safe, a system architect should not only prevent tokens from being stolenbut, as a fail-safe, also ensure that should token theft occur, the system is able to detect it as quickly aspossible. Detection is an important concept to consider and will be explored in the next section.

Detection vs Prevention of stolen authtokens

Prevention is a first line of defense and all attempts should be made to minimize theft.However, auth tokens are fundamentally susceptible to theft because they are transmitted to an untrusted party(the app’s frontend). Hence, detection of token theft has an important role to play in the security of the system.Existing detection methods rely largely on heuristic algorithms such as tracking sudden changesin IP addresses and browser (or mobile) fingerprints and flagging “unusual user behaviour”. Unfortunately, thesemethods themselves can be inaccurate, easy to spoof and difficult to implement. However, there is a reliable wayto integrate detection of theft in the session management flow and in part 2, wepropose a flow that does that.

On a related note, in cases where session vulnerabilities are publicly exposed, companiesmay release statements stating that there was no indication that the vulnerability was exploited. However, whatthey fail to mention is how extensively their system would be able to detect token theft in the first place!

Common ways of implementing sessionmanagement flows

We’ve identified the most commonly used session management flows and classified them into 5groups.

  1. Short — Medium term lived access token used to get a new access token
  2. Short — Medium term access token whose usage extends its expiry
  3. Short-lived access token with long-lived refresh token

1. Long-lived access token

  • If the user voluntarily logs out, the access token is revoked and cleared from the frontend.

Damage Analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend.

Effect of stolen auth tokens:
The attacker would have unauthorised access to thevictim’s account until the token’s expiry time — which could be weeks or months!

Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.

Once detected:
If the flow is implemented using JWTs, it may be difficult torevoke the token. However, stolen Opaque access tokens can be easily revoked.

2. Short-Medium term lived access token used to get a new access token

  • The new access token can be used by the frontend even if the previous token has not expired.
  • If the user voluntarily logs out, the access token is revoked on the backend and cleared from thefrontend.
  • It is likely that a user will be logged out if the access token is short lived.

Damage analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend.

Effect of stolen auth tokens:
An attacker must constantly renew their token tomaintain unauthorised access.

Detection of theft:
To stay logged in, both the attacker and victim need torequest the server for a new access token before the current (stolen) token expires. Both would do this using thesame access token. If the same token is used twice for the request, then the system could deduce that there hasbeen a theft — depending on how the frontend is implemented. A shorter-lived access token would enable quickerdetection of theft, but it may also result in poor user experience due to repeated logouts when there is notheft.

Once detected:
The access token associated with this session would need to berevoked. It may be complex to stop the attack if the access token is a JWT.

3. Short-Medium term lived access token whose usage extends their expiry

  • If the user voluntarily logs out, the access token is revoked and cleared from the frontend.

Damage Analysis
The critical auth token is perpetually exposed overthree attack surfaces — the frontend, during transit and the backend. Note that this flow does not apply to JWTsas extended their expiry time would result in a change of the token value itself (thank you Mehmood Deshmukh for pointing thisout).

Effect of stolen auth tokens:
As long as either the victim or the attacker isactive, the attacker would be able to maintain unauthorised access.

Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.

Once detected:
The access token associated with this session would need to berevoked.

4. Short-lived access tokens

  • If the user voluntarily logs out, the access token is revoked and cleared from the frontend.

Damage Analysis
There are no critical auth tokens in this case.However, this method frequently exposes the user’s credentials during transit — making it susceptible toattack.

Effect of stolen auth tokens:
If the token is stolen, the attacker will only beable to do damage for a short period of time.

Detection of theft:
Token theft may only be detected through the use ofheuristic algorithms or if the user notifies the provider/developer of the service.

Once detected:
Access tokens need not be revoked since they are short lived.However, if needed, Opaque access tokens can be revoked by removing them from the database.

5. Short-lived access token with long-lived refresh token

Getflv Chrome

  • If the user voluntarily logs out, the access token is revoked and cleared from the frontend.

Damage analysis
The critical auth token (refresh token) is perpetuallyexposed over two attack surfaces, the frontend, and the backend and occasionally exposed over transit.

Effect of stolen auth tokens:
Access token stolen: The attacker will haveunauthorised access for a short period of time (until token expiry).

Refresh token stolen: The attacker can use the stolen refresh token to get new access tokensand have unauthorised access to the victim’s account over a long period of time. In rare scenarios (describedbelow), this theft can be detected and the damage can be minimised.

Detection of theft:
Access token stolen: This theft may only be detected throughuse of heuristic algorithms or if the user notifies the provider / developer of the service.

Refresh token stolen: Detection of theft is possible in certain scenarios andimplementations. For example:

  • One implementation could result in previous access tokens being immediately revoked upon generation of anew access token. This enables the system to recognize theft in the case when the attacker and victim areonline at the same time. For example: if the attacker uses the refresh token, the victim’s access token wouldbe revoked — causing the victim to request for a new access token. This would result in another request fromthe attacker and so on. If the backend could detect short interval requests for new access tokens, then itwould be possible to deduce that there has been a theft.

Once detected:
Access tokens need not be revoked since they are short lived.However, if needed, Opaque access tokens can be revoked easily by removing them from the database.

Refresh tokens can be revoked easily by removing them from the database.

These flows are not designed with token theft detection as a requirement. In Part 2, wepropose an alternate session flow that we believe would be far more secure. For now, we’ll revisit the types ofattacks that sessions are vulnerable to and some steps to mitigate against the risks.

Best practices for attack mitigation

Man in the middle attacks

  1. When using HTTP or incorrectly implementing HTTPS:
    If the application does not use https and securecookies, an attacker could connect to the same network as the victim, monitor the network packets and see theauth tokens in plain text during transit. Often, even when the application has an SSL certificate, anincorrect implementation can lead to MITM attacks. For example, ESPN.com sends auth cookies over unsecuredHTTP (as of 10th May 2019) and this Netcraft article elaborates on the prevalence of incorrectly implementedhttps.
  2. When using a Proxy:
    Two of the last three organizations I worked at, monitored all the traffic on theirnetwork. At workplaces, devices likely use the corporate wifi network. Companies can enable the connecteddevices to trust their network proxy as an SSL Certificate Authority as a prerequisite to connect to the wifi.This would enable them (or a malicious actor) to see auth token information during transmission.

OAuth token theft

XSS Attack

CSRF

Database/filesystem access

  • Store only the hashed versions of the refresh and access tokens in your database to prevent an attackerfrom hijacking any live session. This recommendation is applicable to all implementations described above.
  • Using JWTs requires the private key to be stored on the server — which is susceptible to theft. If theattacker obtains the private key, they will be able to hijack both current and future sessions. To limit thedamage, the private key used to sign the JWTs will need to be changed — instantly invalidating all currentJWTs. In methods that use a refresh token (flow 5, Part 1 and the proposed flow in Part 2), changing the privatekey will not affect the user experience as the refresh token will be used to generate a JWT signed with thenew private key.

Session fixation

Brute force attack

Getflv open source alternative to google docs

Social engineering / Physical access

  • An attacker could simply read the cookies (even if they are secure or HttpOnly) byinspecting the application page if the service is accessible via a browser. On a mobile app, this is harderbut still possible.
  • Depending on how an app’s session flows are implemented, an attacker could steal a user’s auth tokens evenafter the victim has logged out of the app. This video from 2013 shows how Twitter did not invalidate the sessioncookie even after the user logged out. As a commenter points out, this was still occurring even in 2016!

Part 2

As a blog owner, i remember how difficult it was to me to decide whether i should use an open source solution for the commenting system of my blog. After a while, i decided to move on with Disqus as for a starter, it's a quite good solution, however as you progress with your blog, you will notice that in many ways, it's not the best solution at all. For a lot of people, because of the privacy and others, like me, for the pricing. Disqus offers a free plan up to some point, but once your blog reaches a significant amount of views, you will have to move to the pro plan, which in some way, it's a lot considering that you can achieve the same if you decide to move to a self hosted open source solution (yeah, we will stop using disqus once we reach the 50K daily views that they offer for the pro plan [USD $9]).

In this top, we will share with you 7 open source solutions of commenting systems for blogs and static pages that you can self-host on your server.

7. HashOver

HashOver is a free and open source PHP comment system designed to allow completely anonymous comments and easy theming. HashOver is intended as a replacement for proprietary services like Disqus. HashOver adds a 'comment section' to any website by placing a few simple lines of JavaScript or PHP to the source code of any webpage. HashOver is a self-hosted system. Comments can be stored in either flat-file formats like XML or JSON or SQL databases. HashOver is licensed under the GNU Affero General Public License.

6. Schnack

Getflv Open Source Alternative

Schnack is an open source commenting system written in JavaScript.

  • Tiny! It takes only ~8 KB!!!to embed Schnack.
  • Open sourceandself-hosted.
  • Ad-free and Tracking-free. Schnack willnot disturb your users.
  • It's simple to moderate, with aminimalandslick UIto allow/reject comments or trust/block users.
  • webpush protocolto notify the site ownerabout new comments awaiting for moderation.
  • Third party providers for authenticationlike Github, Twitter, Google and Facebook. Users are not required to register a new account on your system and you don't need to manage a user management system.

5. Valine

Valine is a fast, simple & powerful comment system.

  • Emoji 😉
  • High speed.
  • Safe by default.
  • No server-side implementation.
  • Support for full markdown syntax.
  • Simple and lightweight
  • Article reading statisticsv1.2.0+

Getflv Review

4. Commentics

Commentics is a free, advanced PHP comment script with many features. Professionally written and with open source code, its main aims are to be integrable, customizable and secure. It is designed to be integrated into existing pages. Fresh and relevant content not only helps in retaining visitors but also in keeping search engines interested. For the reasons below, Commentics is an ideal choice for this. Use it on your articles or even as a standalone comments page.

3. Commento

Half a second increase in page load time results in a 20% decrease in site traffic. Commento is lighter and faster than alternatives, at just 11 KB of JavaScript and CSS.

Getflv open source alternative to google docs

Commento has not, does not, and will not gather your personal information to sell to advertisers, third-party trackers, or other organisations. With Commento's advanced moderation tools, automatic spam filtering, and Akismet integration, you and your readers will never see any spam.

2. Remark42

Remark42 is a self-hosted, lightweight, and simple (yet functional) commenting system, which doesn't spy on users. It can be embedded into blogs, articles or any other place where readers add comments.

  • Social login via Google, Twitter, Facebook, GitHub and Yandex
  • Login via email
  • Optional anonymous access
  • Multi-level nested comments with both tree and plain presentations
  • Markdown support with friendly formatter toolbar
  • Privacy-focused
  • Import from Disqus
  • Moderator can remove comments and block users
  • Voting, pinning and verification system
  • Sortable comments
  • Images upload with drag-and-drop and clipboard
  • List of recent comments from all posts
  • Export comments to json and automatic backups
  • RSS for all comments, each post and replies
  • Telegram notifications
  • No external databases, everything embedded in a single data file
  • Fully dockerized and can be deployed in a single command
  • Self-contained executable can be deployed directly to Linux, Windows and MacOS
  • Clean, lightweight and customizable UI with white and dark themes
  • Multi-site mode from a single instance
  • Integration with automatic SSL

1. Isso

Isso (Ich schrei sonst) is a lightweight commenting server written in Python and JavaScript. It aims to be a drop-in replacement for Disqus. Isso is a lightweight commenting server similar to Disqus. It allows anonymous comments, maintains identity and is simple to administrate. It uses JavaScript and cross-origin ressource sharing for easy integration into (static) websites.

If you know another awesome open source commenting system solution, please share it with the community in the comment box.