1
Hello I am developing a Restful api, but I wonder if it is safe to authenticate users by passing the token in the url? And if there is any other safer method.
2 answers
1
Normally access tokens usually, depending on the endpoint setting, have a lifetime of one hour.
The URL is not usually the safest method, as it is exposed even on secure connections. The ideal is to pass the token through the header of Authorization, as follows:
Authorization: Bearer <token>
This method is part of the Oauth 2.0 authorization framework. Read more on RFC 6750.
1
Would you like to know if it is safe to authenticate users by passing the token in the url? What if there is some other safer method.
It is not safe to pass the whole authentication through the url. As a rule, do not pass critical data through the URL because this information is easily intercepted by malicious people, even if your Token is valid this may compromise security.
I can never pass token through the url? You can pass a token add-on or something just checker, but really important information should be inside headers or through methods like POST and not GET.
Use Oauth 2.0
I recommend using the Oauth 2.0, it is used by companies such as Facebook, Google, Paypal, Twitter etc. It serves both as an authorization and authentication server. At official website we find examples of system implementation in several languages.
Man-in-the-Middle
Don’t forget to use the security layer, SSL, on your application or it may compromise its security with the famous man-in-the-Middle. Here’s a interesting article about this attack divided into four parts, recommend reading.
Browser other questions tagged php web-service authentication restful
You are not signed in. Login or sign up in order to post.
And to store this token in the local storange client is the best option?
– Leandro Costa
This token will be used in the headers until it expires, and then you renew it using the user credentials or a refresh token. Ideally, you store it somehow until it happens.
– Rodrigo Rigotti