Reputation: 513
Azure DocumentDb continuation token
I'm using a continuation token to iterate over a result set in DocumentDb just fine, my intention is to expose the continuation token and the min/max page over a rest API via HATEOAS links so a user can run through all of their results. Is there a potential security risk by returning the continuation token or the page ids? Should I obfuscate them? I would prefer to keep all the session state in the cosmos db and not have store the results somewhere else for pagination.
Upvotes: 1
Views: 1302
Answers (1)
Reputation: 27825
Is there a potential security risk by returning the continuation token or the page ids?
In my view, exposing the continuation token can not cause security issues. continuation token differs from authorization token, a continuation token is returned from a query when there are additional results aside from what was returned in the response, normally clients resume query execution using the continuation token from the previous query to get additional results, and a continuation token that returned from the previous query cannot be used with a different query. If a client just get continuation token but do not have valid authorization token and do not know the query, the client can not get the results via that continuation token.
Upvotes: 2
Related Questions
- What is the lifespan of continuation tokens in DocumentDb
- Cosmos DB SQL API Node.js - Continuation Token
- Invalid format for continuation token on Cosmos db
- How does Cosmos DB Continuation Token work?
- How to get & set Cosmos Db continuation token in javascript
- CosmosDb with DocumentDB API through Azure API Management
- Azure CosmosDB Continuation Token Structure
- How do I set continuation tokens for Cosmos DB queries sent by document_client objects in Python?
- Cancellation Token support for Cosmos Document Client?
- Document Db Request Continuation Token Not set on the 1st iteration