ruby on rails 4 - Explain the use of tokens in transmitting data over GET -


(full context = latest response/discussion question: button_to in email not posting)

i'd user click link in email , able post data in database. current understanding is:

  • best practice (per latest answer question above, other answers i've tried) = use transmit token website (so might example.com?token=asdfaiosugkljlfkdjslfjasklf) , have script on website take token, parse data, , post it

  • the reason tokens should used because it's not secure; can see uri, can cached/bookmarked, , therefore, can result in erroneous posts database if submitted, i.e., shouldn't example.com/:id/action since can trigger action repeatedly (which in case, since 1 of actions results in deletion of records, bad)

what don't understand how token different, because it's not every time user opens his/her email, s/he sees different link. if passed token , link in email example.com?token=asdfaiosugkljlfkdjslfjasklf, link still bookmarked/cached/whatever. part of research, looked @ emails web service sends me in email button can click posts something. indeed each time check link, it's same: www.theirsite.com/?uid=abc abc base64 token. , indeed can click on repeatedly, can bookmark , open again , again. seems mask on data, same mask every single time, pointless.

now, if mask there security's sake, kind of because perhaps website able decode token. in case, want ensure uri doesn't inadvertently result in muliple repeat postings which, said delete data. don't have sensitive user information.

of course, realize there huge holes in understanding opening smarter people explain "big guys" in terms of:

  1. is still necessary use token transmit data (let's sensitive data because if not useful now, i'm sure i'll need @ point) via http request when need data post database?

  2. how ensure uri able modify database once? (is there first method of kind? after user gets pop says they've performed action?)

tokens serve couple purposes here. first, can used authenticate action legitimately coming email sent, , not brute-forcing url. second, token can used prevent accidental replays, or outright replay-attacks. here's how:

when send email link like: /requests/1001/accept?token=asdf... should be: a) randomly generating token in secure way, , b) storing token database, perhaps additional metadata. more on metadata in bit.

the design should be: request valid if , if token hasn't been used, , token one-time use only. when user clicks on email link, need check if provided token matches row in token table. delete token table (unless race conditions, use transaction). provably simplest way achieve want - don't need else ensure links can't double-followed, , can't less (tracking whether link has been used or not requires remember information specific link, definition). tokens see in emails investigated operate in way.

you can add other metadata token, such id of user may legitimately use it, example. may end de-normalizing database depending on how other tables set up.

as side note, isn't restful since it's mutate action in request, in case post overrated , doesn't give on get. difficult implement in emails (you can hack rails's _method parameter, offers no real benefit).


Comments

Post a Comment

Popular posts from this blog

java - How to specify maven bin in eclipse maven plugin? -

i have eclipse maven plugin coming on centos. how can execute maven command on linx like: mvn clean package [abigail@localhost ~]$ mvn bash: mvn: command not found how should specify path executable of maven plugin in eclipse? or have install maven seperately? thanks. eclipse (m2e) have bundled central parts of maven inside eclipse plugin, why not detected, , not usable. investigation find correct way bootstrap it, have create launcher file manually. if want run maven outside of eclipse, far better off standalone version of maven. mvn command bootstrap maven runtime system correctly, , secondly, able use advice concerning use of maven. maven binaries quite stable, wouldn't need upgrade upgrade eclipse. you can subsequently switch eclipse use external installation if prefer.
Read more

single sign on - Logging into Plone site with credentials passed through HTTP -

i using plone 4.3.3 , new plone development. here trying achieve: i have site going redirect plone site. in http url line redirects plone site pass username whereas plone site should automatically log user username in without asking credentials password. not care safety or encryption @ point. how achieve that? (i guess need somehow modify existing login view, how do that?) thanks. i had same problem , @ end i've developed own pas plugin. i've followed next steps: create pas plugin implement extractcredentials method following this example implement authenticatecredentials method following this example add plugin develop section in build.conf. start plone , open zope console. go acl_users folder , add plugin pas system there examples here can use templates.
Read more

php - Why does AJAX not process login form? -

i writing simple login script in php form. can't work. there wrong ajax. when click submit button doesn't anything. this login html form: <form id="login_form"> <input type="text" class="input_field" name="username" id="username" value="gebruikersnaam" onclick="if(value=='gebruikersnaam'){ this.value='' }"/> <input type="password" class="input_field" name="password" id="password"/> <input type="submit" class="login_button" id="login_button" value="ga door"/> </form> this ajax: $(document).ready(function(){ $("#login_form").submit(function() { $.ajax({ type: "post", url: 'php/login_check.php', data: $("#login_form").serialize(), // serializes form...
Read more