Reputation: 2727
Is token based authentication secure when
any request is made via HTTPS and the token is transmitted the following ways:
a) GET https://foo.dom/foobar?auth_token=abcxyz
b) GET https://foo.dom/foobar with HTTP-header like X-FOOBAR-TOKEN: abcxyz
As I understand SSL, in case of an HTTP request the client first negotiates the SSL connection and does only transmit additional parameters and/or HTTP headers in case the secure connection was established successfully.
Am I right so far?
Thx fur any suggestion. Felix
Upvotes: 1
Views: 1079
Answers (1)
Reputation: 1147
SSL buys you encryption of the transport so no one can snag the auth token while it is being sent/to from the site. There are some man-in-the-middle attacks that can be performed against SSL but generally SSL should protect the token content.
What makes or breaks the security is whether or not the Token it-self is cryptographically secure. If that can be said to be true then your are golden. Check out this site http://web.mit.edu/kerberos/dialogue.html.
There are plenty of other sites that use secrue tokens for auth, see: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html.
Upvotes: 2
Related Questions
- Using Refesh Token in Token-based Authentication is secured?
- https URL with token parameter : how secure is it?
- Is accepting auth tokens as parameters secure?
- HTTP token authentication
- REST API: Simple token-based authentication - security?
- Token Based Authentication advantages?
- Implementing a token authentication
- Authenticating users with tokens useless after HTTPS?
- Secure Token URL - How secure is it? Proxy authentication as alternative?
- Authentication security concerns