Questions tagged [token]
DO NOT USE THIS TAG! For questions about CSRF-tokens, use [CSRF]. For questions about session IDs, use [session-management]. For questions about OAuth tokens, use [oauth] and [oauth2]. For questions hardware authentication tokens, use [hardware-token].
223 questions
1
vote
0
answers
45
views
Usage of Mt_Rand in PHP
I am creating an exericse for my users, where I am trying to tell them that using mt_rand() is not a good option from security point of view. What I did is that I showed them a normal user who gets a ...
- 343
11
votes
3
answers
3k
views
Determining Entropy in PHP
I am using the following code in my code to send a password reset token to a user.
$token = md5($user_id . time());
Why this is considered as a bad approach being cited as it has a weak entropy. The ...
- 343
1
vote
0
answers
128
views
Where to store Refresh Token in custom Authentication
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a ...
0
votes
1
answer
168
views
Does the absence of CSRF tokens need to be fixed as soon as possible?
When I was originally developing my website, I made sure to include cross-site request forgery tokens in most endpoints and forms, etc., because I knew it was a highly recommended thing to do.
But of ...
- 3,035
1
vote
1
answer
68
views
Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I'm thinking of ...
- 25
1
vote
1
answer
250
views
Security doubts around the refresh token and how it works
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this ...
- 187
0
votes
0
answers
90
views
Firebase Cloud Messaging (FCM) what is the impact of a exposed or leaked fcm_token?
When an attacker obtains such a token (via a broken webapp or jailbroken mobile phone), what would be the consequences?
Would it be possible for an attacker to obtain messages with sensitive info (...
- 11
0
votes
1
answer
269
views
how to send cookies or token in local storage to a remote server using reflected XSS
I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script&...
- 187
0
votes
1
answer
212
views
How are Sentry's public key protected when the token is in front end code?
In Sentry's documentation they explain that you can use a public token to use their API;
<script
src="https://js.sentry-cdn.com/examplePublicKey.min.js"
crossorigin="anonymous&...
- 103
0
votes
1
answer
100
views
Password-based encryption: keeping the user logged in without entering password again
Context
I have a system where some of user's data is encrypted via AES. Each user has their own key K. When the user creates an account, the K is generated and encrypted with a key derived from ...
- 65
0
votes
0
answers
67
views
Modern security implementation: operation token sent to the bank by secure server
This post is related to this post on Android users stack exchange relating to conceiving of a variety of household situations and files and a post related to what immutable storage is which was ...
3
votes
1
answer
1k
views
Best login flow for username and password authentication
I've been reading countless articles about login flows and what's the best for user auth, but it's all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple ...
- 33
1
vote
2
answers
1k
views
I need to generate a token in order to share an 'invite' link, what should the token be?
Just to elaborate a bit more:
User A owns a directory of files on my server
User A wants to share a link with a token that grants anyone with the link access to that directory
I have an API user A ...
- 31
0
votes
0
answers
1k
views
best way to keep user logged in with cookie and jwt?
I'm making an SPA with Laravel REST API and trying to keep it stateless.
Right now I'm trying to achieve proper JWT authentication and 'remember me' functionality.
On successful login the client ...
- 11
1
vote
1
answer
1k
views
Authentication using JWT signature, without header and payload
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key.
One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, ...
- 113
1
vote
1
answer
138
views
Logging secrets in the user agent (browser)
There are sound reasons not to put any secrets, PII or other sensitive information into the logs on the server side (see OWASP ASVS V7).
But should the same rule apply on the client side? Is there a ...
- 405
3
votes
1
answer
4k
views
Why do big sites use cookies and not OpenID connect?
As I understand it, OAuth is the natural evolution of authentication protocols
I understand in a general way that evolution is as follows:
basic authentication
cookies
tokens, at this point you want ...
- 197
0
votes
1
answer
196
views
GnuPG: gpa.exe hangs when I click on "smartcards" AND scdaemon cannot recognise SC-HSM 4K
https://dev.gnupg.org/T6097
I am trying to get GnuPG to work with my SmartCard-HSM 4K on Windows, using the GP4Win bundle.
Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it does ...
- 563
1
vote
0
answers
608
views
Bearer Token and session mangement
I'm working for a company and I saw their authentication mechanism and wasn't sure if it's good.
When the user first logs in, the credentials will be sent to the server and the server will generate a ...
- 457
2
votes
0
answers
1k
views
Why do I have to store a refresh token in db
As far as I know, JWT tokens are used for implementing 'stateless server'. But as I try to apply Jwt to my website that uses sessions and cookies for authentication, I found that most people store ...
- 21
1
vote
0
answers
152
views
Best way to handle token authentication workflow on mobile apps
I'm working on a mobile application and I need to create a token-authentication workflow.
So far I've pointed out main token:
Token by reference, that are store in database, like (https://www.django-...
- 111
0
votes
0
answers
127
views
How to use TokenAuthentication in mobile apps?
I'm working on a mobile application, using django rest-framework as backend, and I'd like to archive the maximum security possible.
Now when the user log-in with email and password I generate a token, ...
- 111
0
votes
0
answers
5k
views
Where to store token from auth header in React
I am currently working on a medium scale app and am a month into learning React. I got to the part where I need to authenticate users. I have written some code and It is working, but I don't know is ...
- 101
0
votes
1
answer
219
views
is it safe to read the jwt token before validating it?
is it safe to read the jwt token before validating it?
my colleagues are implementing a "check jwt for aud value and route accordingly".
this means that:
First payload is being read by the ...
- 103
1
vote
1
answer
421
views
Is braintree clientToken supposed to be public?
I'm building an app that uses Braintree for processing payments. According to the documentation, I need a server-side endpoint that returns the clientToken, which is then used to manage a user's vault ...
- 11
0
votes
1
answer
294
views
What should I worry about when attaching a token to a request manually?
I'm developing a platform that has 2 parts:
An API written using Laravel, that integrates with the database and provided data in a restful state.
Multiple fronts that connect to the API and perform ...
- 111
0
votes
1
answer
165
views
Github.com token authorisation since 13th August, impractical?
Gihub removed password authentication:
remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information.
fatal: unable to access 'https://...
- 125
4
votes
2
answers
2k
views
What is the point of signing a JWT with a JWK if you need to communicate with the token issuer?
If I understand correctly, a JSON Web Token (JWT) can be asymmetrically signed with a special private key (JWK). At least in some common configurations, the public part of the signing key can't be ...
- 210
2
votes
2
answers
468
views
Frontend authenticates in server using jwt token issued by another server
I have two servers and frontend client:
one server authorize and authenticate user, after that issue jwt token to client.
Frontend client also visits second backend server using jwt token as ...
- 121
0
votes
1
answer
379
views
CSRF tokens in file that we can upload a file
I am dealing with a website vulnerable to CSRF. Let's say that the page (upload.php) has the following code
if (isset($file_submit)) {
//submit_file()
}
else {
show_submission_form()
}
...
0
votes
3
answers
811
views
How many bytes for password reset token? Should one take steps to hash or conceal raw CSPRNG bytes?
I'm trying to follow the OWASP 'Forgot Password Cheat Sheet' recommendations for password reset functionality via email. This requires my server to generate a token. OWASP says that PHP's random_bytes(...
- 226
1
vote
1
answer
396
views
What are the best practices to create a safe and performant user registration and validation with Nodejs and Postgres? [closed]
I've been asked to write an app with registration and login systems. In essence, I've already wrote the first version of their app using PHP, some javascript/jquery and storing data in MySQL. It ...
- 111
2
votes
2
answers
185
views
Check Expired Token (after a visit)
I'm implementing a model which I'll have to reupdate the users, so I want to deliver a unique link to the users and after confirmed the update, I expire that link, so I prevent reusing that link.
How ...
- 23
2
votes
0
answers
776
views
API keys or Client Credentials flow? Good practice to control application access to a deployed web component
Company A developed a widget (Web Component) deployed on several clients/partners.
Only clients/partners must be authorized to use the widget.
No need to distinguish between each end users (clients' ...
- 431
2
votes
1
answer
262
views
Kubernetes bootstrap token with no expiration
I would like to know the security implications of using a bootstrap token that never expires. The reason why I'm considering doing that is that I'm using terraform and my control-plane is in a ...
- 123
2
votes
1
answer
1k
views
Cookieless Authentication
I am working on an authentication server that can act as a central place to manage authentication for multiple projects, sort of like keycloak or ory kratos.
While working on implementing ...
- 121
1
vote
0
answers
149
views
mORMot 1.18 doesn't invalidate session_signature after logout? is this the default behaviour?
On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:
../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs
...
- 567
2
votes
2
answers
6k
views
How to securely store and use session IDs
I'm not sure what's the option to store and manage session IDs for long lived sessions (3-6 months each).
Given that the session ID is generated with enough entropy and that the session ID is then ...
- 121
1
vote
1
answer
3k
views
How do I maintain/check a user session in the backend without having to use tokens?
I'm trying to login a user and, then, retrieve the user information like we do on a regular web app using php session.
I have searched some solutions but I couldn't find any answer for my problem/...
- 13
2
votes
1
answer
2k
views
When to request refresh token? JWT
I am trying to implement JWT in a secure way in Node.js and I am unsure when to request the refresh token.
I got one access token and one refresh token. Both are saved in two httpOnly cookies. When ...
- 141
1
vote
1
answer
123
views
What happens if a secure token is provided to a trusted party that gets compromised
Take for example - AWS STS token or JWT tokens.
Let’s say node A got a token for accessing a resource of account X on behalf of account X. Access includes read/write privileges.
Let’s say few minutes ...
- 133
1
vote
0
answers
502
views
Difference between JSON web token, bearer token, and MAC token in OAuth2
I am reading this OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
where the authorization server issues a client a JSON web token with the following format
{
"iss&...
- 71
0
votes
1
answer
408
views
Generating tokens via PRNG and Hashing
We are using Java and we are planning to create a reusable API that can be used to generate and validate custom tokens. This is how we will do it
Step 1: Generate a random number using a good a CSPRNG ...
6
votes
2
answers
2k
views
What is the point of having a refresh token if it can be as easily stolen as an access token on client-side/JavaScript applications (SPA/PWA)?
From my understanding, the point of having a refresh token and short lived access tokens is to mitigate the consequences of having the access token stolen. This way, if this happens, the attacker will ...
- 163
3
votes
0
answers
1k
views
How can I implement CSRF Tokens without server-side rendering/templating?
I am attempting to build an application that submits numerous fetch/XHR requests to a NodeJS backend. I'd like to implement CSRF token protection, but would like to avoid implementing server-side ...
- 131
0
votes
1
answer
459
views
token _csrf in an url POST
I wanted to know if it was a bad thing to have a _csrf token stored in a url. I saw that in a POST request that allows me to upload a file, the _csrf token was displayed in the url. Is it sensitive to ...
- 13
1
vote
2
answers
1k
views
Cross-Domain Request is a CSRF Attack? (CORS)
CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:...
- 21
2
votes
1
answer
2k
views
Why is ID token used instead of Access token to get temporary credentials in AWS?
After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc..
From all standards - ID token should not be used to gain access ...
- 189
0
votes
0
answers
116
views
Security concern on locally stored authentication token
It is a common method on mobile applications to allow users to bypass authentication process by verifying a locally stored token (previously authenticated) on device.
This is to strike a balance ...
- 2,037
1
vote
2
answers
4k
views
Sending token through GET vs POST
Looking for recommendations for security in sending token (e.g. JWT Token) through a GET vs POST request to the server.
There are two options:
Sending token through Headers as part of HTTP GET ...
- 13