So I tried to debug "https://www.ea.com/de-de/fifa/ultimate-team/web-app/" a simple web-application.
I log in and after that it sends requests with a token(here its called "X-UT-SID"). The thing is I cant find the token in any storage using chrome developers-tool. Is there any other way a token is stored like maybe encrypted in the cookie?
Thanks in advance!
You can run "window.localStorage" on console. Then, you can trace back the auth requests with these session data
Related
We are currently working with AWS-Cognito and I've been looking over the documentation to find a method that helps me retrieve the information of the user without refreshing the session if the tokens are expired.
According to this post (how handle refresh token service in AWS amplify-js), the currentSession method does refresh the session because it uses the getSession() method under the hood.
This is why I thought of using the currentUserPoolUser() method to get the information about the user's session without refreshing the tokens if they are expired, but I tried it out today and the session still gets refreshed if the tokens are expired with this method.
Does anybody know if there is a method in the aws-amplify library that would help me with this use case?
Thank you to everyone in advance! Have a great day!
I'm a back-end developer who has to create the front-end too in the current project!
I'm using reactJs and I know that for authorizing users I should get an api_token from my back-end API then use the api_token in the next requests! so I should store the api_token (actually somewhere into the client's browser)! but where should I store it to be secure?
the first answer came to my mind was 'Local Storage' ! but I've read this article: Don't store tokens in local storage
I've searched and found #auth0/auth0-spa-js, but I don't know can I trust this package (and similar) or not?
these are the way's which I've found! but what's the correct way to store sensitive data like this?
The Auth Flow should be on the Web should be
Send User/Password Details to server
Server validates and returns encrypted token with some details inside and that's stored as a HTTP Cookie
Setup Protected endpoints so only users with token can access them
Security : HTTP Cookie only means that the browser doesn't have access to it on the client, only the server. But someone can simply just Copy Paste it into their cookies which if you're worried about or working on sensitive stuff, you will need to implement additional security measures such as the ones mentioned.
Generally, Device Management is not a web concern but you can also some validation on the token for things like make the token expire in 5 minutes, or expire on session end, DeviceId, Browser Id, IP address, send them an email that a new unknown IP has logged in, etc.
Never store private tokens in your frontend code
You should create a server that can only be accessed from a particular url (the url of your app). This server can have the secret tokens that you need to make calls. The that server can forward requests to the services you will use that need private tokens.
I'm developing an ReactJS app calling api from my server. After logging in, server returns an authentic-token and I need to store it in cookies (the key is token and value is the authentic-token from server. Now I'm using universal-cookie). But when I assign document.cookie to another value like token=xxx in browser's console, the token in cookies will be modified. Is there any ways to prevent user from modifying the cookie via document.cookie ?
Thank you !
To answer your question, the answer is No. You should never have to trust data from the browser as there are a myriad ways of manipulating it.
Instead you should make sure your backend server validates the cookie.
You cannot prevent a user from modifying the token in the cookies. universal-cookie stores data in a particular way and it shouldn't be altered using document.cookie. Also, you should always validate the data in the cookie with the data in your backend as the user can manipulate the data in any way.
It would be better to use universal-cookie itself to do all the tasks related to cookies you want to do, as you can do almost everything with it. And you can also try out some other packages such as react-cookies
So I created a react-redux webapp, in which the login/signup is done using JWT authentication. This app uses a lot of server api, and due to security reasons each api request needs to accept a valid token, only then it sends back a valid response, else, it simply sends an error object back saying the token is not valid.
Now the problem arises when suppose I open my account in one browser, lets say chrome, and then I also open the same account in Firefox, now, obviously the token has expired in chrome, so when I make requests from chrome I simply get the error object returned, what would be good that I have a middleware before each server request which would check the validy of the token and then redirect to login if the token is invalid.
I am quite new to redux and was wondering if something like that is possible, any kind of help is appreciated, Thank you.
Hi I'm trying to implement auth protected audio/video stream in angular app via REST api. The goal is to secure audio/video to not to be shared with other not logged users. I tried single use token so flow looks like this:
Angular ask for single use token after you click play button POST: file/1/token
Angular get the token and paste token into url ?token=...
Stream request is send to the server GET: file/1?token=...
Server checks the token and removes it from database
If token is right stream begin
The problem came when you click on timeline where stream is not buffered yet so the browser automatically sends another request which of course is unauthorized because token has been already removed.
I want to keep api stateless but as you see some kind of state is forced by html media.
I would love to hear your hints or solutions on that problem.
Problem is solved for now. Maybe it's not the best solution but it covers all requirements.
We decided to use session which breaks the REST principles but simply works.
Now we getting token as it was before POST: file/1/token
Getting file with provided token GET: file/1?token=...
The difference is that in the controller we open new PHP session, save token into session and remove it from database. Now we are able to check whether token is in database or in the session.
So if you send link to other people they don't have an access. Only you have access as long as token is in the PHP session.