About URL with token

Asked

Viewed 264 times

1

Good night!

Just take a doubt.

I am developing an android application and will receive information in json, but when login, it would be more or less like this

http://exemplo.com/auth/login/senha

if the check is correct you will receive a token to gain access to the other information. Everything will be worked with token.

http://exemplo.com/token/meu_perfil

That is with token received you will be allowed to see the profile information.

Is that safe? Or does it still need to be improved?

Note: I don’t like using Framework to avoid compatibility, I use the PHP language.

1 answer

0


Your approach is OK, but can be improved by adding more "security":

  • Use Basic Auth in the login url, ie send user and password format "user:password" coded in Base64 on the request header. Example:

    Authenticator.setDefault(new Authenticator(){
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("myuser","mypass".toCharArray());
    }});
    HttpURLConnection c = (HttpURLConnection) new URL(url).openConnection();
    c.setUseCaches(false);
    c.connect();
    

or you can simply add a request Property to the connection:

c.setRequestProperty("Authorization", "basic " +
                Base64.encode("myuser:mypass".getBytes(), Base64.NO_WRAP));
  • For the other Urls, send the token in the request header and always make sure that the token is encrypted and not only encoded in Base64 which allows anyone to reuse a token even if it is expired. You can use the header "Authorization" to that end.

Finally, avoid sending any sensitive information without being encrypted, let alone in the URL path.

  • Is this syntax Java language? Can you tell me an example in javascript? What I understood you meant was to send the information in the http header with encrypted data? Correct?

  • Yes, the example is java and Android. In Javascript is equal, Voce will make an Ajax call passing the encrypted Headers.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.