About URL with token

Question

About URL with token

Asked 7 years, 3 months ago

Viewed 264 times

1

Good night!

Just take a doubt.

I am developing an android application and will receive information in json, but when login, it would be more or less like this

http://exemplo.com/auth/login/senha

if the check is correct you will receive a token to gain access to the other information. Everything will be worked with token.

http://exemplo.com/token/meu_perfil

That is with token received you will be allowed to see the profile information.

Is that safe? Or does it still need to be improved?

Note: I don’t like using Framework to avoid compatibility, I use the PHP language.

1 answer

Browser other questions tagged token auth

You are not signed in. Login or sign up in order to post.

by Gyowanny Pessatto Queiroz • **136** points · Answer 1 · 2017-08-09T09:39:35+00:00

Your approach is OK, but can be improved by adding more "security":

Use Basic Auth in the login url, ie send user and password format "user:password" coded in Base64 on the request header. Example:

Authenticator.setDefault(new Authenticator(){
protected PasswordAuthentication getPasswordAuthentication() {
    return new PasswordAuthentication("myuser","mypass".toCharArray());
}});
HttpURLConnection c = (HttpURLConnection) new URL(url).openConnection();
c.setUseCaches(false);
c.connect();

or you can simply add a request Property to the connection:

c.setRequestProperty("Authorization", "basic " +
                Base64.encode("myuser:mypass".getBytes(), Base64.NO_WRAP));

For the other Urls, send the token in the request header and always make sure that the token is encrypted and not only encoded in Base64 which allows anyone to reuse a token even if it is expired. You can use the header "Authorization" to that end.

Finally, avoid sending any sensitive information without being encrypted, let alone in the URL path.