[aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?
Bruno Oliveira
bruno at abstractj.org
Thu Sep 27 06:26:10 EDT 2012
Hi Matthias, this is our biggest concerns to M7, we had some discussions about it with PicketBox team to improve it. Currently the token relies on PicketBox sessions like this:
token = user.getSubject().getSession().getId().getId().toString();
Easy to break like you've did. My initial suggestion, is generate an application ID at first glance and create event or time based tokens.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
> Hi,
>
> using the Auth-Token to get access to protected resources / endpoints
> (after doing a login) works fine!
>
> I am wondering how to avoid that one token is used on different
> devices? (e.g. when somebody is 'stealing' the token).
>
> I did sign-in to the app, using the browser and got the following
> token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
>
> Now I was able to issue a get request against the endpoints, by using
> the same token, from different 'devices':
> - curl
> - iOS test case
>
> NOTE: we don't need a solution now, since I know you guys are busy
> with some demo work - but just want to run that 'issue' by this list
>
> Greetings,
> Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20120927/c0431024/attachment.html
More information about the aerogear-dev
mailing list