Implementing Token-based Authentication for Service-based Web Applications


With the magical things developers can achieve with JavaScript these days, there is almost no reason to develop on the web without JavaScript. The drawbacks of the traditional web development approaches are just too unbearable. JavaScript introduces superb user experience with AJAX and developers can now update an element on a page without post back!

Although JavaScript solves  most of the developer's head ache, it introduces its own issues. Foremost of these are security flaws of which we have the 3 giants: XSS, CSRF and SQL Injection.

I remember implementing a solution for a leading financial company in Nigeria, and though I insisted on stringent security measures for the Web API, the guy in charge maintained that there was no need for it, and the project went ahead without it. Yes! there are lots of systems trusted by the public that are in use without adequate security. I'm afraid these are time bombs waiting to explode. The effect of not adequately securing a system can be very disastrous, ranging from Identity Theft, to denial of service and other issues. No matter how minute, you do not want your organisation to suffer any of it.

Securing Your Web-API Using Tokens
I'm assuming here that you have good knowledge of your database, server side language like PhP, C# or Python and JavaScript. In later posts, I will break down the steps and provide sample codes, this post only outlines the solution (note that no solution is 100% bullet proof, the best guard against hacking is being security conscious, keeping up to date with trends and fixing loop holes immediately). The steps are outlined below:

  1. After users are authenticated with their usernames and passwords, an encrypted token (named UserToken) is generated with expiry date/time set and returned to the client in the response header. This UserToken is unique and saved in the database along with the expiry date for the UserToken and the UserId of the user for which its meant. UserToken validity normally should not be less than 5 minutes, and not more than one hour
  2. Thereafter, for every request initiated from the client, the client must include this UserToken in the request header
  3. The server will first confirm that:
    • The UserToken is valid and active (i:e not yet expired)
    • The UserToken belongs to the user that initiated the request
  4. If these conditions are met, the UserToken validity is extended and request is processed
  5. It any of the conditions isn’t met, the server returns 401 error

Other Considerations
  1. If you do not wish to allow multiple login by the same user concurrently on different devices, in order to increase security, we may have to expire a UserToken once the user logs into another device.
  2. You may also decide to tie the userAgent to the UserToken, to ensure that only the browser that was authenticated can generate subsequent requests.

Comments

Post a Comment

Popular posts from this blog

Resize or Crop Image before Upload Using HTML5 File API

Image
I've always loved how Whatsapp, Facebook, Twitter and all the major social network platforms maintained sanity of uploaded profile pictures through the use of instant resize at upload time. Of course not only profile pictures need to be made to conform to a specific dimension, if you find other scenarios during development when you need to ensure that your images are of a specific height and width, or aspect ratio then this article will help you do just that. You may also just want to give the user ability to resize before final upload, this article will help you do just that. Step 1: Download CropperJs Plugin There are lots of plugins that could help to achieve our objective, and I've tried a few. I find this one very robust and easier to use. Here's the github link Step 2: Import the CropperJs Plugin Using your script tag, import the downloaded plugin's Javascript file and link the CSS file too. Note, that for speedy loading, CSS files should be loaded in t
Read more

Get Creative With Data Tables: Row Click Events

Image
Introduction Datatables from datatables.net are so lovely, especially with the responsive extension that you can enable by including dataTables.responsive.js in your project. I particularly find fascinating the combination of search / filtering, pagination, ordering and exporting features which are available right 'out-of-the-box'. Issue Well, as great as datatables are, you will find it difficult if not impossible to develop a system with acceptable user-experience using bare-bone datatables implementation. In my own case, because I was porting my superb Asset and Inventory Management Application found at asset.bz to the mobile platforms using PhoneGap, I needed the user to be able to tap on any record in order to perform some pre-define operations like editing, approvals etc. Solution Apparently, the solution isn't far fetched. The sample code below would do the job nicely: // HTMLTableData is your array of records to be displayed in the data table
Read more

Exception from HRESULT: 0x80131040

Image
Background: I just recently upgraded to Windows 10, and I must confess, the overall experience immediately got me. I love the fact that our good old start menu was back and better. The tile one was much of a controversy although I have been indifferent about it all the while. I particularly love Cortana, the search assistant who made me remember the office assistants that used to come with the office suite back then. The euphoria I experience was a perfect disguise, however, for the ambush that was ahead. Issue: I went ahead to open VisualStudio and launched the project I was currently working on. I pressed F5 to launch it, only to ram into a jam! The project I still successfully tested only a day before now threw an exception. From my experience, and this situation hasn't proved me wrong, every Microsoft upgrade always has a catch somewhere. This particular one forced me to begin to rectify a fault in an application that was initially 'bug-free' before my u
Read more