Token based authentication in REST API

I am trying to implement a token-based authentication approach:

  • Each successful login creates a new token.

  • If the user chooses to "keep me logged in" or the user uses a mobile device, the token is stored in the Redis database without expiration. Otherwise, the token will expire after 20 minutes.

  • After user authentication, the token is checked with each subsequent request in my Redis database.

I am wondering how I can identify devices. In the case of mobile devices, I can use the device identifier. But how can I identify the browser?

Example. The user logs in to Chrome and selects "Remember me." A marker is generated and saved with the browser name in Redis. If the user logs in from Firefox, saves the token and "Firefox" in the database. I save the token in Redis, while the token is created on successful authentication. Is it good to save only the token and the browser that uses the token? Or do I need to also save the IP?

Additional question: How to avoid intruders in order to steal a token from a cookie?

+3
source share
2 answers

How Token Based Authentication Works

, , :

  • ( ) .
  • .
  • .
  • .
  • .
  • . , .
    • , .
    • , .
  • .

REST , . - , , REST, Roy T Fielding dissertation:

5.1.3

[...] , , . , . [...]

, , /. , .

RFC 7235 :

5.1.2.

HTTP-, , :

  • , HTTP- : , , , . [...]

( ) HTTP Authorization. RFC 7235:

4.2.

Authorization - , , 401 (). , .

Authorization = credentials

[...]

, HTTP- , . , .

- . ( ) , .

, , . ( , , , ) (, JSON Web Token):

: , .

, . JWT, .

, , , . . .

User-Agent, , API. , HTTP , . , , .

, API:

- HTTPS, man-in-the-middle.

, , ?

+17

, User-Agent. .

, : , ?

0

Source: https://habr.com/ru/post/1016543/


All Articles