Opening several tabs (randomize resource)

[nioc]

Intended behavior

When I develop the application, I would like to have two instances for the same user.

Solution

Randomize the resource in dev mode.

Alternatives

No response

Priority

Could-have

Users scope

registered users

Affected features

login

Pull request

yes

[Ppjet6]

May I suggest that you do this all the time?

Nowadays most clients have something of the form 'client name.random bits' set as a resource. Reusing the same resource isn't something recommended anymore (I would need to ask someone for the reasoning behind).

[nioc]

I'm glad you asked, I opened this issue for this very reason 😎 I did not know what the recommendations are for the resource.

[nioc]

By the way, are there any rules or constraints to respect regarding the format of the resource (forbidden characters or other things)? I did not find anything even on the §3.4

[Ppjet6]

Wait! You are too fast! ^^'

I went to confirm on the XSF channel and I was off, here is what I got:

best practice is to use a randomized (or server assigned) resource, but then re-use that resource for subsequent reconnects, as it, for example, improves the chances that you get stanzas that where addressed to this resource prior the reconnect

one could argue that a malicious actor may learn your resource, so you may still want to rotate it once in a while

And

If someone knows (or can guess) your resource then they can tell when you are online, which is considered a presence leak and something we have always tried to protect against

So basically you still want to do this, generate a random resource, except you want to store the it and reuse it all the time.

Also, "obviously", this doesn't apply for sasl anon, as it's not possible to reuse the same session anyway.

[Ppjet6]

As for constraints on the resource, there's an updated spec here: https://www.rfc-editor.org/rfc/rfc6122#section-2.4. And in general the 3920 RFC series is obsolete and 6120 is to be used :)

[nioc]

No problem, if needed, I will reopen it or create a new one.

I'm not sure what is the best, but I suggest we can initialize random string at register tab creation and then store in memory (not local storage since it would be reused across other tabs) and reuse it for this specific tab (it would apply only for logout / reconnect). Am I right?

[Ppjet6]

Yeah that sounds alright to me!