About URL with token

1

Good evening!

Just take a question.

I'm developing an android application and will get information in json, but when I log in, it would look like this

  

link

If the verification is correct you will receive a token to access the other information. It will all be worked with token.

  

link

In other words, with the received token you will be allowed to view the profile information.

Is this safe? Or does it still need to be improved?

Note: I do not like using Framework to avoid compatibility, I use the PHP language.

    
asked by anonymous 09.08.2017 / 03:06

1 answer

0

Your approach is OK, but can be improved by adding more "security":

  • Use Basic Auth in the login url, that is, send user and password in the format "username: password" encoded in Base64 in the request header. Example:

    Authenticator.setDefault(new Authenticator(){
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("myuser","mypass".toCharArray());
    }});
    HttpURLConnection c = (HttpURLConnection) new URL(url).openConnection();
    c.setUseCaches(false);
    c.connect();
    

Or you can simply add a request property to the connection:

c.setRequestProperty("Authorization", "basic " +
                Base64.encode("myuser:mypass".getBytes(), Base64.NO_WRAP));
  • For the other URLs, send the token in the request header and always make sure that the token is encrypted and not only Base64-encoded, which allows anyone to reuse an even token that is expired. You can use the "Authorization" header to do so.

Finally, avoid sending any sensitive information without being encrypted, much less in the URL path.

    
09.08.2017 / 11:39