Re: [aerogear-dev] Auth-Token: how to ensure one token is used from only one device ?
Hi Matthias, this is our biggest concerns to M7, we had some discussions about it with
PicketBox team to improve it. Currently the token relies on PicketBox sessions like this:
token = user.getSubject().getSession().getId().getId().toString();
Easy to break like you've did. My initial suggestion, is generate an application ID at
first glance and create event or time based tokens.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Thursday, September 27, 2012 at 3:26 AM, Matthias Wessendorf wrote:
Hi,
using the Auth-Token to get access to protected resources / endpoints
(after doing a login) works fine!
I am wondering how to avoid that one token is used on different
devices? (e.g. when somebody is 'stealing' the token).
I did sign-in to the app, using the browser and got the following
token => db5d16da-a1e5-48d9-a2fd-e39e36e835bc
Now I was able to issue a get request against the endpoints, by using
the same token, from different 'devices':
- curl
- iOS test case
NOTE: we don't need a solution now, since I know you guys are busy
with some demo work - but just want to run that 'issue' by this list
Greetings,
Matthias
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Attachments:
- attachment.html (text/html — 6.8 KB)