Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

https URL with token parameter : how secure is it?

On our site, we provide to users a simulation based on their private information (given through a form). We would like to allow them to get back on their simulation results later, but without forcing them to create a login/password account.

We have thought of sending them an email with a link, from which they could get back their results. But, naturally, we have to secure this URL, because private data is at stake.

So we're intending to pass a token (like a 40 characters combination of letters and digit, or a MD5 Hash) in the URL and to use SSL.

Finally, they would receive an email like that:

Hi,
Get back your results on https://www.example.com/load_simulation?token=uZVTLBCWcw33RIhvnbxTKxTxM2rKJ7YJrwyUXhXn

What do you think about it? Is it secure enough? What would you advise me for the token generation? What about passing URL parameters in a https request?

like image 729
Flackou Avatar asked Mar 13 '09 15:03

Flackou


People also ask

Is it secure to send token in URL?

Not really, URLs are still liable to be logged at the end server, which means the access token can still be leaked if an attacker was to get access to server logs. This is still susceptible to shoulder-surfing. The url also remains in the browser history, which is a potential vulnerability as well.

Is it safe to pass JWT token in URL?

As mentioned in my previous answer, JWT tokens are URL-safe when it comes to their syntax. Here is a quote from the RFC 7519: A JWT is represented as a sequence of URL-safe parts separated by period ( . ) characters.

Is token secure?

Because tokens can only be gleaned from the device that produces them—whether that be a key fob or smartphone—token authorization systems are considered highly secure and effective. But despite the many advantages associated with an authentication token platform, there is always a slim chance of risk that remains.

Is it secure to send the Access_token as part of the Websocket URL query params?

Is it secure to send the access_token as part of the websocket url query params? From a security perspective, it doesn't really matter where the access token is stored. In an ordinary HTTP request it would be stored in the header, or in a message after the websocket connection is established.


2 Answers

SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination.

Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not want your IT people having access to all the tokens.

Additionally the URL with the query string would be saved in your user's history, allowing other users of the same machine to access the URL.

Finally and what makes this very insecure is, the URL is sent in the Referer header of all requests for any resource, even third party resources. So if you're using Google Analytics for example, you will send Google the URL token in and all to them.

In my opinion this is a bad idea.

like image 140
JoshBerke Avatar answered Sep 22 '22 00:09

JoshBerke


I'd use a cookie for that. The workflow should be like this:

  1. User comes to your site for the first time.
  2. Site sets a cookie
  3. User enters data. Data is stored in the DB using some key that is stored in the cookie.
  4. When user leaves, you send them an email with a https: link
  5. When user comes back, site discovers the cookie and can present the user with the old data.

Now, the user wants to use a different browser on a different machine. In this case, offer a "transfer" button. When the user clicks on this button, she will get a "token". She can use this token on another computer to reset the cookie. This way, the user decide how secure she wants to transfer the token.

like image 30
Aaron Digulla Avatar answered Sep 21 '22 00:09

Aaron Digulla