session token security parse.com

Question

I've been building an app (ios and web app) on Parse over the last few months and have only just discovered how their session tokens work. This is what I have learnt so far:

• Each user has their own session token
• The token is used to replace the user credentials (for authentication) when making requests to the server
• The token never changes (even when password is reset) and never expires
• The token is stored locally on client side when logged in
• User can be logged in using the Parse.User.become(sessiontoken, options) method, with only the session token

This seems very insecure to me, or am I missing something? It seems that if anyone manages to get this token they have eternal access to the users account, even if username and/or password are changed?

Thanks,

Mario

Answer 1

Looks like they have just updated their systems to use revocable user sessions. Nice one Parse!

http://blog.parse.com/2015/03/25/announcing-new-enhanced-sessions

Answer 2

I have also double checked the session token returned from REST API & Android Client. It is the same. Even after I changed the password.

This is definitely a potential security issues. Anyone who's mobile device is stolen, the hacker could get the session token if the session is not encrypted and the security of user data is in jeopardy forever.

As the hacker could use the session token from any client forever. You will never know when the hacker will do the evil. I am seriously concerned about the issue. Hope somebody will address it.

PS: Hi Mario, I have logged an issue on the Facebook Developer Platform.

https://developers.facebook.com/bugs/309490399239393/

Hope somebody will track it and resolve it eventually.