I am working on a security design for a new application in my company. We use the Windows Identity Foundation framework.
I have a login application that issues a token to a user who is successfully authenticated. Then the token is used to access the new application. Of course, this is transparent to the user.
The WIF frame provides a page with some javascript, including security token data that identifies the authenticated user. Javascript instructs the user's browser to place security token data in the application.
There are two specific security options that I would like to mention.
Signing the Encen Encryption TokenObviously, token encryption is of utmost importance. It is imperative that the application can recognize the security token as a valid security token from the login application.
As for token encryption, I don’t know exactly why I need it. The data in the security token simply identifies the user and provides a user session identifier.
My question is: Is there any internal thing about security tokens that they must not only be signed, but also encrypted?
source
share