Creamstout10
Creamstout10

Reputation: 513

Azure DocumentDb continuation token

I'm using a continuation token to iterate over a result set in DocumentDb just fine, my intention is to expose the continuation token and the min/max page over a rest API via HATEOAS links so a user can run through all of their results. Is there a potential security risk by returning the continuation token or the page ids? Should I obfuscate them? I would prefer to keep all the session state in the cosmos db and not have store the results somewhere else for pagination.

Upvotes: 1

Views: 1302

Answers (1)

Fei Han
Fei Han

Reputation: 27825

Is there a potential security risk by returning the continuation token or the page ids?

In my view, exposing the continuation token can not cause security issues. continuation token differs from authorization token, a continuation token is returned from a query when there are additional results aside from what was returned in the response, normally clients resume query execution using the continuation token from the previous query to get additional results, and a continuation token that returned from the previous query cannot be used with a different query. If a client just get continuation token but do not have valid authorization token and do not know the query, the client can not get the results via that continuation token.

Upvotes: 2

Related Questions