sessionweb-applicationswebauthn

How to manage Webauthn + user session?


Imagine I have a webapp, and the registration/auth flows work properly. User can register, and can authenticate and get verified by server. Now, I suppose, there is still some work to make session work for a user?

For example, when the user authenticates, the webapp should either set a cookie or keep some token of the user in the internal store to make authenticated requests possible?

Are there recommended practices on how to combine webauthn and session management or should session be implemented just the way it's usually implemented independently of it being used with webauthn?


Solution

  • There is nothing unique to signing in with a passkey with regard to session management. Cookies are typically used to represent a session client side. Many front end frameworks will set a session cookie automatically. Typically session cookies are HTTP only to mitigate JavaScript-based cookie hijacking.

    OWASP has some great resources around session security and cookies: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html