Is it secure to get auth TOKEN from server with javascript?

Question

Is it secure to manipulate with auth token inside client side javascript over https ? I want to pass that token to websocket after login.

$.getJSON(
$SCRIPT_ROOT + '/jscript_get_auth_token',
{},
function(data)
{
    // Extract token from data then manipulate .. pass to function etc.
    token = data.result
});

How exactly do you want to manipulate the token and for what purpose? — Ilya Chernomordik, May 18 '16 at 17:19

score 1 · Answer 1 · answered Jul 18 '16 at 23:44

your question title is different to the question in your post.

is it secure to get the token via JavaScript from the server - this depends on the server side validation method in place. assuming these are OK

manipulating the token in JavaScript and then sending to a web socket should be fine as long as server side validation is good.

score 0 · Answer 2 · answered May 18 '16 at 17:22

If you only want to read additional data from the token (like JWT), it is no security threat. Since this part of the token is not even encrypted. If you want to expose some secret keys by hardcoding them or getting them from a web server to change and create a new token, that might be a subject of XSS and so on for example.

Is it secure to get auth TOKEN from server with javascript?

2 Answers2