Highest Voted 'token' Questions - IT Security Stack Exchange

400

votes

5 answers

Why is 'Bearer' required before the token in 'Authorization' header in a HTTP request?

What exactly is the difference between following two headers: Authorization : Bearer cn389ncoiwuencr vs Authorization : cn389ncoiwuencr All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer'…

asked Dec 21 '15 at 07:20

Anmol Gupta

4,101
2
9
5

124

votes

3 answers

Session Authentication vs Token Authentication

I am trying to get a handle on some terms and mechanisms and find out how they relate to each other or how they overlap. Authenticating a theoretical web application and mobile application is the focus. The focus is on the exact difference between…

authentication cookies session-management token

asked Feb 16 '15 at 09:04

Hoax

2,705
4
13
11

40

votes

3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…

oauth token json jwt replay-detection

asked May 30 '16 at 18:34

ams

613
1
5
7

32

votes

6 answers

How safe are employee laptops in China against International corporate espionage?

I recently took a business trip to China. Our IT department told me I could not take my normal machine, and instead gave me a loaner. This loaner had MS Outlook and was linked to my normal company e-mail account. I logged into the corporate…

authentication malware vpn defense token

asked Nov 20 '15 at 14:19

Stone True

2,022
2
17
25

31

votes

3 answers

Should I be able to see patterns in a HS256 encoded JWT?

I was fiddling with https://jwt.io/ using this header { "alg": "HS256", "typ": "JWT" } when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as…

encryption jwt token

asked Sep 27 '19 at 18:17

jmacedo

429
4
6

29

votes

7 answers

What is a good way to authenticate a user to a smart phone?

What would be a good way to authenticate a user to a smart phone? By good, I mean that it is both secure, and user-friendly. Passwords don't seem to be the best fit because a password needs to be long to be secure, but it is hard to type a long…

authentication passwords smartphone biometrics token

asked Feb 10 '15 at 15:12

Jonathan

3,157
4
26
42

19

votes

2 answers

Is my JWT refresh plan secure?

I plan on using JWT for my login system for mobile devices. There is no real standard workflow for refreshing JWT tokens I could find so I created this one below. The reason I want to use JWT is for performance reasons. Instead of checking if a user…

authentication mobile oauth token

asked Jun 08 '15 at 21:31

user2924127

877
1
8
17

19

votes

1 answer

Where to store access and refresh tokens on ASP.NET client web app - calling a REST API

I've made a Web API in ASP.NET that acts as the entry point into a SQL Server database for report data. This service has a "token" endpoint that authenticates a user via ASP Identity and return a 20-minute access and 2-week refresh token. This API…

oauth asp.net token asp.net-mvc api

asked Sep 18 '15 at 17:09

Andy DesRosiers

291
1
2
3

16

votes

3 answers

Am I generating email link tokens correctly?

I am developing a reliable system for token generation and validation used mainly for links in confirmation emails (reset password request, change email flow, activate an account, etc...). There are a few things that are mandatory: Token must be…

account-security one-time-password token

asked Feb 20 '20 at 13:34

Baterka

261
2
4

14

votes

2 answers

How to allow users to connect from multiple devices with refresh tokens?

This question follows my previous one: How to securely keep my users signed in with refresh tokens? What I got from this previous question, is that we need: short-lived access tokens long-lived one-time refresh tokens Refresh tokens are persisted…

authentication api token

asked Aug 09 '17 at 15:47

sp00m

193
1
1
9

14

votes

2 answers

Secure HttpOnly Cookie or Header field for auth token securing an API?

I have an API to secure. There will potentially be two types of consumers of this API - our own Single Page Application, and third party services that will integrate with it. I have read that in general cookies are not favoured for REST APIs, it is…

authentication token

asked Apr 08 '16 at 15:16

user2800708

261
2
4

13

votes

2 answers

JWT token login and logout

Hi I am creating mobile native application that uses REST API endpoints to communicate with server side. I have had previous experience developing native clients, but I have simple token (random generated string) stored in DB in the same table where…

authentication http rest token api

asked Oct 02 '15 at 19:16

eemrxoha

131
1
1
3

10

votes

1 answer

Randomly generated token vs JSON web token

I'm trying to secure access to my web server. I have been implementing a JSON web token authentication where I randomly generate a secretkey and associate it with that user. The secretkey will then be used to encode the JSON web token. Then the user…

authentication token json

asked Aug 06 '15 at 18:30

Big yellow duck

101
1
3

10

votes

1 answer

Why refresh tokens are used

Reading about JWT I see it is common practice to include a refresh token along with the short lived token. So commonly it seems you have a short lived token which lasts for a short time such as 15 minutes, and a refresh token which renews this token…

authentication token jwt

asked Mar 08 '16 at 00:12

user2924127

877
1
8
17

9

votes

1 answer

Would encrypting a signed JWT prove viable to secure claims payload?

I am working on a server-client web application, and as an authentication scheme, I am issuing base64 encoded json web tokens. Consider the following…

encryption authentication token jwt

asked May 20 '16 at 21:08

scniro

205
2
5

Questions tagged [token]