All geek questions in one place

Parse.com session token security

I have created an application (ios and web application) in Parse over the past few months and just discovered how their tokens work. This is what I have learned so far:

  • Each user has their own session token.
  • The token is used to replace user credentials (for authentication) when executing server requests
  • The icon never changes (even if the password is reset) and never expires
  • The token is stored locally on the client side at logon
  • A user can log in using the Parse.User.become (sessiontoken, options) method using only the session token

Does this seem very uncertain to me, or am I missing something? It seems that if someone manages to get this token, do they have eternal access to the user account, even if the username and / or password are changed?

Thanks,

Mario

+6
source share
2 answers

It looks like they just updated their systems to use canceled user sessions. Good pars!

http://blog.parse.com/2015/03/25/announcing-new-enhanced-sessions

+3
source

I also double-checked the session token received from the REST API and Android Client. It is the same. Even after I changed my password.

These are definitely potential security issues. Anyone who has stolen a mobile device, a hacker can get a session token if the session is not encrypted and the security of user data is permanently compromised.

How a hacker could use a session token from any client forever. You will never know when a hacker will do evil. I am seriously concerned about the problem. Hope someone will contact him.

PS: Hi Mario, I registered a problem on the platform for developers of Facebook.

https://developers.facebook.com/bugs/309490399239393/

Hope someone tracks it and resolves it in the end.

+2
source

Source: https://habr.com/ru/post/974726/

More articles:


All Articles