Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 11 months ago.
Improve this question
I've been searching how to make a public http request secure and all the answers are to use a token like JWT.
But from what I understand, the reason for using this token. Isn't this to prevent someone from trying to modify someone else's data other than your own?
Then user can still manipulate his own data using his own tokens. Because when you first connect to the app, you will get a token from the server.
That person can modify his or her data at any time. Wouldn't he be able to modify the game points he has at any time? (I actually saw an answer in another answer (which said to make that http call only available once after the game is over))
but if he knows the jwt token and http request url then he still can modify right??
Are JWT tokens used in the worst case to keep someone else's data from being touched?
The JWT token is just used identify the user making API request and checking whether the user is authorized to make that request. When you decode a JWT (Firebase Auth's JWT for this example), you can read user's UID and custom claims, etc.
Passing user ID directly in API requests is not a good idea because they are usually public (e.g. your Stackoverflow ID is 18516895) and easy to guess. So I can just try passing some random numbers/string and might be able to make requests on behalf of someone else. So JWTs are mostly used for Authorization and Information Exchange.
Also checkout: Introduction to JSON Web Tokens
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
Allowing users to update their score doesn't seem to be a good idea. Instead the score should be done totally on back-end and can be triggered by any action such as user winning the game.
Take Stackoverflow for example, only the person who has asked the question can mark any of the answers as accepted. This is authorization. No one else is allowed to do so. After an answer is accepted, the system updated answerer's score (reputation), so there is no API request that is made from client side to increase score.
The flow could be like:
Questioner accepts an answer
Verify JWT, marked as accepted if owner of question
Increase score (reputation) of answerer
Adding to another case of single player game Tetris where the user directly needs to update server for a win and earn points as discussed in comments, it might be best to send every move to server and run all game win logic on backend instead of checking for win on client and letting users hit a /win API over and over again. If the game is completed, then credit points to user if won.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 11 months ago.
Improve this question
I've been searching how to make a public http request secure and all the answers are to use a token like JWT.
But from what I understand, the reason for using this token. Isn't this to prevent someone from trying to modify someone else's data other than your own?
Then user can still manipulate his own data using his own tokens. Because when you first connect to the app, you will get a token from the server.
That person can modify his or her data at any time. Wouldn't he be able to modify the game points he has at any time? (I actually saw an answer in another answer (which said to make that http call only available once after the game is over))
but if he knows the jwt token and http request url then he still can modify right??
Are JWT tokens used in the worst case to keep someone else's data from being touched?
The JWT token is just used identify the user making API request and checking whether the user is authorized to make that request. When you decode a JWT (Firebase Auth's JWT for this example), you can read user's UID and custom claims, etc.
Passing user ID directly in API requests is not a good idea because they are usually public (e.g. your Stackoverflow ID is 18516895) and easy to guess. So I can just try passing some random numbers/string and might be able to make requests on behalf of someone else. So JWTs are mostly used for Authorization and Information Exchange.
Also checkout: Introduction to JSON Web Tokens
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
Allowing users to update their score doesn't seem to be a good idea. Instead the score should be done totally on back-end and can be triggered by any action such as user winning the game.
Take Stackoverflow for example, only the person who has asked the question can mark any of the answers as accepted. This is authorization. No one else is allowed to do so. After an answer is accepted, the system updated answerer's score (reputation), so there is no API request that is made from client side to increase score.
The flow could be like:
Questioner accepts an answer
Verify JWT, marked as accepted if owner of question
Increase score (reputation) of answerer
Adding to another case of single player game Tetris where the user directly needs to update server for a win and earn points as discussed in comments, it might be best to send every move to server and run all game win logic on backend instead of checking for win on client and letting users hit a /win API over and over again. If the game is completed, then credit points to user if won.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
We are building a mid-sized project. We have React UI and Express backend. For authentication, when user submits his credentials, there is a POST call to backend to authenticate user.
The problem is, we can clearly see the user input in-network calls. This might be a problem. Is there a way to hide this information? How is the industry tackling this situation? Is this fine? I've seen Twitter's authentication flow. It's a bit different. I'm unable to see the data I submitted.
It's completly normal to have an POST request with a content of
{
username: "myName123",
password: "myPassword456"
}
You can see this in almost every service, which requires authentication.
When you do this, make sure your communication with the client is encrypted (HTTPS) so that a man in the middle can't read it.
Don't trust the user - clean the input from stuff that should not be there.
Encode / hash the input by adding something to mix up the logic.
Decode / dehash and verify.
When you encode something with built in feature - like base64 then add some variable to the string that makes it more random.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have been reading about JSON Web Tokens and some questions popped up in my mind . I have read lot of claims about how we should move from session based approach to JWT. I am thinking more in terms of a Node JS backend that exposes API for the UI as well as the mobile.
Claim: JWT does not require you to communicate with your key-value data store for every http request.
Question 1 : I cant have a single private key for all the users (Whats the security risk if I have only one Private Key ?). Then I would need to have a DB anyway.
Claim: JWT sends the token on every request.And hence we don't need to store any data like "name,email" on the session instead they can reside on the token itself.
Question 2 : Wont the size of the payload increase , since they would be sent for every request and it also contains data ?
Claim : You can use the same method for mobile auth as well as Web UI Auth.
Question 3 : Since the server now has to decrypt the token and communicate to the server, isn't it an overhead for the Web UI ?
Claim : Pass the token to the JS and store the token in sessionStorage or localStorage.
Question 4 : Since there is no concept of "httpOnly" in sessionStorage isn't it a security concern ? Also can chrome plugins circumvent the security by getting the token and logging in ?
Finally, Apart from CRSF issue, sharing the code between UI and Mobile Auth and benefits CSRF, I really don't see much benefit over current session based mechanism. Am I correct in my thinking?
Also, what are the cases what are the disadvantages of JWT when compared to the traditional session based systems ?
question 1
Yes, if you wanted to sign the JWT uniquely for each user then you need to store those keys in your database
Also you will be anyways need to store the token in you db because when the token is revoked you need to reject that request even though the token is valid
But the point to look here is this token based authentication is useful for all clients not just we apps , so rewriting the Apis is not required
JWT is one format for token in token based auth
question 2
Yes, you payload can easily reach 700 to 1000 chars even if you add small amount of details in JWT
But it helps to have clear info about the authenticated user without hitting , the suggestion here is to have very minimal into and store the rest in db and use it when required
question 3
No, all the client ( Webapp) need to do here is to store and send that token in each request , which is same as sending the session cookie (it's just automatic )
question 4
Yes anyone can copy the token and gain access ( but it will expires after short time ) this is same as( session hijacking) or after an session is established the user can directly call Apis from there rest console in bowser and it still works
In this case the token is efficient since it has usually short lifetime rather than session's lifetime
There are real benefits in JWT, the top is can expose same Apis to any client there is no need to write individual Apis for Webapp and other clients
JWT is still an draft and not an specification, and if you use carefully there are real benefits in it, search about token based authentication you will see lot of advantages over the session
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I've notoced lots of websites allow users to register by simply asking their email and password [aside all the other information like name, username, genre etc.]. And the users don't have to do email verification as they register, they simply have a reminder that they should verify their email, but otherwise they can use the website normally. This is very good for UX, since the user can immediately start using a website and not wasting time to do email verifications etc. before he knows whether he will keep using this website or not.
So the question I wanted to ask is the following:
Suppose a malicious user writes a program that will keep registering users with valid usernames and valid(syntactically) emails.
This will eventually cause lost of trouble if not correctly managed:
the database will eventually run out of ids for users
This will create lots of records, thus eating up space
More user records, means more lookup time
So, I'm really curious how all this is managed, if at all.
NOTE: most of websites I'm talking about, do not use CAPTCHA(bad for UX), so they manage the issue in some other way, again, if at all.but neither the solution is to delete the record if the user hasn't confirmed his/her email in a time term. For suppose user looses Internet connection[, or forgets, or anything else] the last day he has to verify email. So the user will loose his/her account and just forget about that website. So this is not a solution. not sure about IP limitations. But suppose that is an Internet cafe and users keep registering. And there are dynamic IPs these days. Is limiting the registration to some amount of time a solution? But how do I know when the last registration occurred if the IP keeps changing. So how is this issue solved?
This is not really an SO problem. This site is more focused on solving issues with actual code rather than ways to solve a generalise problem.
That said, the current patterns seem to be...
Require more information. By having more information, you can de duplicate accounts. That said, in your scenario repeated accounts with the same email address should be easily consolidated. This doesn't prevent bots from registering many accounts with different addresses, but adding more requirements, such as address and phone number make it increasingly differcult to match data sets to your validation.
Validate via email. Contrary to what you suggest, this is still quite common and a good means to weed out genuine users with interest in the site from the chaff.
The other option is a federated authentication service such as Facebook, Twitter, Google+. These provide the UX you seek, but without it being your problem to validate.
From your comments that these changes aren't an option...
Your other option is to look at something server side. This will be along the lines of blocking by IP address. The problem I'd have with this is that the user is unaware, at least with the other options presented the user isn't going to get denied based upon something that happens backend. These measures can still be easily circumvented. An IP block can only be implemented for a short period of time, so the rogue registrations just need to delay long enough or more likely flip between different IP addresses.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I've currently been asked to implement a 'forgotten username' functionality on a site I've inherited, and I'm curious what the best practice is for the process. I'm already following best practice for resetting the user's password (by sending an expiring, one use reset link) - but there doesn't seem to be any best practice policy for a forgotten username.
The options I've seen on other sites are:
Input email address and send it - this is the most straightforward, but I'm uncomfortable about sending the username to the email address.
Input email address and send a single use, expiring link which displays the username - but after it's expired or been used, it obviously won't work anymore.
Similar to 2, but merge it with the change password process - if the user forgets their username, they get to see their username, but they have to reset their password too.
The user table doesn't have any other info set up within it (security question, date of birth, etc) - so I can't ask for any of this information without adding it retrospectively. But I'd appreciate any advice or views others have on how they have either implemented it, or how they think it should be implemented :).
I'm not sure if this is really a case of best practise.
I imagine the username comes with an email address built into it? Most websites I've seen usually just ask you to input the email address that is linked to the account, and you'll receive an email containing your username.
It's the responsibility of the user to maintain their email address security. The Username is something that IS public information in most cases. I don't see why you need to focus so much secrecy on it.
What I like to do is..
Alternatively, if the user has forgotten their username, you can ask them to sign in with their email address instead. No emailing around necessary, and the user still needs to know the secret password.
I don't see any issue with option 1 as you will be sending the username to the registered email address, which only the registered user has access to. As you say, this is how other websites do it and it is tried and trusted by many.
I'd see option 2 and 3 as overkill, unless you have key business requirements to implement it this way.
All of the options proposed here are open to security issues. Sending the username to their email opens it up to attackers who could sniff the content of the email.
For a more secure approach you may to implement some multi-factor verification.
Example:
On the form for discovering their username ensure their are multiple inputs (email and dob). The more you add the more secure it will be.
If these inputs are correct then ask the user 2 or more security questions. Don't show the questions as drop downs, show them as text.
Finally if the answers are correct then let allow them to login on a form with their username \ password.
** For even more security insert a step between 1 & 2 which emails a random token to the user which they must click to continue the flow.
I understand for most applications this may seem like overkill but if you are working on something which requires tight security then you must be careful with this sort of flow.
This article discusses Forgot Password but I think it's content is applicable:
https://fishnetsecurity.com/6labs/resource-library/white-paper/best-practices-secure-forgot-password-feature