This repository has been archived by the owner on Oct 17, 2020. It is now read-only.
[Security] Migrate from exposing auth token in URL to secure Cookie #705
Labels
enhancement
New feature or request
Comments
|
Should we set a session id as the cookie that can then be used to lookup the access token from a database, or should we set the auth token as the session id directly? If the latter, I think we should ensure that the auth token is encrypted to prevent attackers from accessing it. I personally believe it would make more sense to use session id and make an AJAX request after being redirected to lookup the access token given the session id. What do you think? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the problem?
Auth token are exposed in the URL when user signs in the website. This allows attacker to easily steal users' token as it can be send alone with HTTP requests through man-in-the-middle attack.
Your solution
Set auth token in the cookie of sign in callback route.
eg:
https://martinfowler.com/articles/web-security-basics.html#ProtectUserSessions
The text was updated successfully, but these errors were encountered: