2

I use the gem devise_token_auth while developing an API for a mobile app.
Authors claim that:

Tokens should be invalidated after each request to the API.

This behavior is enabled by default. Can someone explains why?

The perfect answer will contains all the mandatories security mechanisms of this authentification method. Each one will be justified with the name of one associated attack. A special consideration must be given to the token invalidation.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
rdupz
  • 131
  • 1
  • I believe it is a protection against "replay" attacks, but I am not expert to your ruby stuff. – Jakuje Feb 20 '16 at 14:50
  • Thanks, but I don't think this is "ruby" specific. It's all about the token management process. – rdupz Feb 20 '16 at 15:02
  • This is very unusual. For example, OAuth, likely the most widely used token auth system for APIs, puts timeouts on tokens but allows them to be used repeatedly within the timeout's limit. – Neil Smithline Feb 20 '16 at 16:13

0 Answers0