Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?

Hey Bruno! On Thu, Sep 27, 2012 at 12:26 PM, Bruno Oliveira <bruno(a)abstractj.org (mailto:bruno@abstractj.org)> wrote: > Hi Matthias, this is our biggest concerns to M7, we had some discussions > about it with PicketBox team to improve it. Currently the token relies on > PicketBox sessions like this: > > token = user.getSubject().getSession().getId().getId().toString(); yep saw the code in the Filter; > Easy to break like you've did. My initial suggestion, is generate an > application ID at first glance and create event or time based tokens. > Glad we already had some discussion about this (assuming that, base on your email). I raised another question on IRC (#picketbox), on when the PicketBoxSession expires. I asked b/c I cloud issue a GET request one hour my last activity, using the same 'old' token Greetings! Matthias > > > -- > "The measure of a man is what he does with power" - Plato > - > @abstractj > - > Volenti Nihil Difficile > > On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote: > > Hi, > > using the Auth-Token to get access to protected resources / endpoints > (after doing a login) works fine! > > I am wondering how to avoid that one token is used on different > devices? (e.g. when somebody is 'stealing' the token). > > I did sign-in to the app, using the browser and got the following > token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc > > Now I was able to issue a get request against the endpoints, by using > the same token, from different 'devices': > - curl > - iOS test case > > NOTE: we don't need a solution now, since I know you guys are busy > with some demo work - but just want to run that 'issue' by this list > > Greetings, > Matthias > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org) > https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org) > https://lists.jboss.org/mailman/listinfo/aerogear-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org) https://lists.jboss.org/mailman/listinfo/aerogear-dev