Files

T

koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건)

이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 12:24:15 +09:00

5.2 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Session Lifecycle

매 한 줄

"매 user 의 매 authenticated state 의 매 birth → death". Session lifecycle 는 매 login 으로 매 시작, 매 idle/absolute timeout 또는 매 explicit logout 으로 매 끝. 2026 현재 매 stateless JWT 의 매 short-lived access token (15 min) + 매 stateful refresh token (rotating, server-revocable) 의 매 hybrid 가 매 dominant; 매 OWASP ASVS V3 가 매 baseline.

매 핵심

매 Phases

Auth: credential verify (password, MFA, passkey).
Issue: session token (cookie / JWT) + binding (UA, IP optional).
Validate: per-request check + refresh.
Refresh: rotation on each use.
Terminate: logout, idle (15-30min), absolute (12-24h), forced (admin, breach).

매 Token strategies

Stateful (DB session): server stores; revocable instantly; scale via Redis.
Stateless JWT: signed token; revocation via short TTL or blocklist.
Hybrid: short JWT access + opaque refresh in DB.

HttpOnly — XSS protection.
Secure — TLS only.
SameSite=Lax (or Strict) — CSRF.
__Host- prefix — domain lock.
Path=/ and reasonable Max-Age.

매 응용

Web SPA + cookie session.
Mobile app + refresh-token rotation.
SSO (SAML/OIDC) federated.
Service mesh (mTLS-based).

💻 패턴

import session from "express-session";
import RedisStore from "connect-redis";
app.use(session({
  store: new RedisStore({ client: redis, prefix: "sess:" }),
  secret: process.env.SESSION_SECRET!,
  resave: false,
  saveUninitialized: false,
  cookie: {
    httpOnly: true, secure: true, sameSite: "lax",
    maxAge: 30 * 60_000, // idle timeout via touch
  },
  rolling: true,
}));

JWT access + rotating refresh

function issueTokens(userId: string) {
  const access = jwt.sign({ sub: userId }, ACCESS_SECRET, { expiresIn: "15m" });
  const refresh = crypto.randomUUID();
  redis.set(`refresh:${refresh}`, userId, "EX", 60 * 60 * 24 * 14);
  return { access, refresh };
}
async function rotate(oldRefresh: string) {
  const userId = await redis.get(`refresh:${oldRefresh}`);
  if (!userId) throw new Error("invalid");
  await redis.del(`refresh:${oldRefresh}`); // single-use
  return issueTokens(userId);
}

Idle + absolute timeout

type Session = { userId: string; createdAt: number; lastSeenAt: number };
const ABSOLUTE = 24 * 3600_000;
const IDLE = 30 * 60_000;

function valid(s: Session): boolean {
  const now = Date.now();
  return now - s.createdAt < ABSOLUTE && now - s.lastSeenAt < IDLE;
}

Global logout (token version)

// User table column: tokenVersion (incremented on logout-everywhere)
const access = jwt.sign({ sub: user.id, ver: user.tokenVersion }, SECRET);
// On verify
if (decoded.ver !== currentUser.tokenVersion) throw new Error("revoked");

Session hijack defense (binding)

function bindClaims(req: Request) {
  return crypto.createHash("sha256")
    .update(req.headers["user-agent"] + req.ip).digest("hex");
}
// On issue: store. On validate: compare. Mismatch → require re-auth.

Concurrent session limit

const sessions = await redis.smembers(`user_sessions:${userId}`);
if (sessions.length >= 5) {
  const oldest = sessions[0];
  await redis.del(`sess:${oldest}`);
  await redis.srem(`user_sessions:${userId}`, oldest);
}

매 결정 기준

상황	Approach
매 Web SPA, 매 same domain	Cookie + CSRF token
매 mobile / cross-origin	JWT access + refresh in secure storage
매 high-security (banking)	Short access (5m) + step-up auth
매 SSO required	OIDC + IdP-managed session

기본값: HttpOnly Secure SameSite=Lax cookie + Redis-backed session, 30m idle / 24h absolute.

🔗 Graph

🤖 LLM 활용

언제: Session anomaly detection (매 sudden geo / device shift), suspicious-activity summary for support. 언제 X: 매 token issuance / signing — 매 deterministic crypto only.

❌ 안티패턴

localStorage JWT: 매 XSS → 매 token theft. 매 HttpOnly cookie.
No refresh rotation: 매 leaked refresh = 매 forever access.
No absolute timeout: 매 1년 session — 매 dormant account hijack.
Client-side only check: 매 every request server-side.

🧪 검증 / 중복

Verified (OWASP Session Management Cheat Sheet, ASVS V3, NIST SP 800-63B).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — JWT+refresh hybrid + passkey-era state

5.2 KiB Raw Blame History