Hello, I'm developing a Restful api, but I wonder if it's safe to authenticate users by passing the token in the url? And if there is any other more secure method.
Web Service Restful Authentication with PHP
1
asked by anonymous 18.11.2014 / 02:23
2 answers
1
Access tokens usually have a lifetime of one hour, depending on the configuration of the endpoint.
The URL is often not the safest method, as it gets exposed even on secure connections. Ideally, pass the token through the Authorization header, as follows:
Authorization: Bearer <token>
This method is part of the OAuth 2.0 authorization framework. Read more at RFC 6750 .
18.11.2014 / 02:27
1
I wonder if it's safe to authenticate users by passing the token on the url? And if there is any other more secure method.
It is not safe to pass the entire authentication through the url. As a rule, do not pass critical data through the URL because this information is easily intercepted by malicious people, even if your Token is valid this can compromise security.
I can never pass token through the url? You can pass a token add-on or something just verifier, but really important information should be inside headers or through methods like POST and not GET.
Use OAuth 2.0
I recommend using OAuth 2.0 , it is used by companies like Facebook, Google, PayPal, Twitter etc. Serves as both authorization server and authentication server. In the official site we find examples of system implementation in various languages.
Man-in-the-middle
Do not forget to use the security layer, SSL, in your application, or you can compromise its security with the famous man-in-the-middle . Here you have a very interesting article about this attack divided in four parts, I recommend the reading.
12.06.2016 / 16:59