Implementing Token-based Authentication for Service-based Web Applications
With the magical things developers can achieve with JavaScript these days, there is almost no reason to develop on the web without JavaScript. The drawbacks of the traditional web development approaches are just too unbearable. JavaScript introduces superb user experience with AJAX and developers can now update an element on a page without post back!
Although JavaScript solves most of the developer's head ache, it introduces its own issues. Foremost of these are security flaws of which we have the 3 giants: XSS, CSRF and SQL Injection.
I remember implementing a solution for a leading financial company in Nigeria, and though I insisted on stringent security measures for the Web API, the guy in charge maintained that there was no need for it, and the project went ahead without it. Yes! there are lots of systems trusted by the public that are in use without adequate security. I'm afraid these are time bombs waiting to explode. The effect of not adequately securing a system can be very disastrous, ranging from Identity Theft, to denial of service and other issues. No matter how minute, you do not want your organisation to suffer any of it.
Securing Your Web-API Using Tokens
I'm assuming here that you have good knowledge of your database, server side language like PhP, C# or Python and JavaScript. In later posts, I will break down the steps and provide sample codes, this post only outlines the solution (note that no solution is 100% bullet proof, the best guard against hacking is being security conscious, keeping up to date with trends and fixing loop holes immediately). The steps are outlined below:
- After users are authenticated with their usernames and passwords, an encrypted token (named UserToken) is generated with expiry date/time set and returned to the client in the response header. This UserToken is unique and saved in the database along with the expiry date for the UserToken and the UserId of the user for which its meant. UserToken validity normally should not be less than 5 minutes, and not more than one hour
- Thereafter, for every request initiated from the client, the client must include this UserToken in the request header
- The server will first confirm that:
- The UserToken is valid and active (i:e not yet expired)
- The UserToken belongs to the user that initiated the request
- If these conditions are met, the UserToken validity is extended and request is processed
- It any of the conditions isn’t met, the server returns 401 error
Other Considerations
- If you do not wish to allow multiple login by the same user concurrently on different devices, in order to increase security, we may have to expire a UserToken once the user logs into another device.
- You may also decide to tie the userAgent to the UserToken, to ensure that only the browser that was authenticated can generate subsequent requests.
Comments
Post a Comment