You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 17, 2020. It is now read-only.
What is the problem?
Auth token are exposed in the URL when user signs in the website. This allows attacker to easily steal users' token as it can be send alone with HTTP requests through man-in-the-middle attack.
Your solution
Set auth token in the cookie of sign in callback route.
Should we set a session id as the cookie that can then be used to lookup the access token from a database, or should we set the auth token as the session id directly? If the latter, I think we should ensure that the auth token is encrypted to prevent attackers from accessing it.
I personally believe it would make more sense to use session id and make an AJAX request after being redirected to lookup the access token given the session id. What do you think?
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the problem?
Auth token are exposed in the URL when user signs in the website. This allows attacker to easily steal users' token as it can be send alone with HTTP requests through man-in-the-middle attack.
Your solution
Set auth token in the cookie of sign in callback route.
eg:
https://martinfowler.com/articles/web-security-basics.html#ProtectUserSessions
The text was updated successfully, but these errors were encountered: