问题
My current architecture is based on a LDAP + JSON Web Token authentication, and my passing Token via the URL this way :
https://myHostApp?jwt={myToken}
Is that safe to proceed this way, or I should pass another way the Tokens? Assuming also, that SSL is enabled.
回答1:
I disagree with the accepted anwser. It is right to say that the use of HTTPS will prevent data leaks. However there are lot of attacks that are achievable if tokens are set in the query string. For example:
- Using the browser history
- Using a transparent proxy
Furthermore, every web servers log the access requests thus, if an attacker get access on your server, all tokens will be available.
Even the RFC6750 (OAuth2 Bearer Token Usage) DO NOT recommend the use of this transport mode.
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
Please note that the RFC6750 refers to the OAuth2 Framework protocol but is not limited to it and should be considered for every token transmission in a Web context.
回答2:
you should pass token in header in every request.
来源:https://stackoverflow.com/questions/46133271/is-that-safe-to-pass-jwt-in-urls-to-authenticate-users