问题
any request is made via HTTPS and the token is transmitted the following ways:
a) GET https://foo.dom/foobar?auth_token=abcxyz
b) GET https://foo.dom/foobar with HTTP-header like X-FOOBAR-TOKEN: abcxyz
As I understand SSL, in case of an HTTP request the client first negotiates the SSL connection and does only transmit additional parameters and/or HTTP headers in case the secure connection was established successfully.
Am I right so far?
Thx fur any suggestion. Felix
回答1:
SSL buys you encryption of the transport so no one can snag the auth token while it is being sent/to from the site. There are some man-in-the-middle attacks that can be performed against SSL but generally SSL should protect the token content.
What makes or breaks the security is whether or not the Token it-self is cryptographically secure. If that can be said to be true then your are golden. Check out this site http://web.mit.edu/kerberos/dialogue.html.
There are plenty of other sites that use secrue tokens for auth, see: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html.
来源:https://stackoverflow.com/questions/7836045/is-token-based-authentication-secure-when