A thread on "Token-Based Authentication" - Part 9 of the "Understand the Internet" series.
๐งต๐
#bugbounty #infosec #cybersecurity #hacking
๐งต๐
#bugbounty #infosec #cybersecurity #hacking
โช Before we get going with Token-Based Authentication, do you know what Session-Based Authentication and Cookies are?
If not, read the thread below before continuing with the current.
If not, read the thread below before continuing with the current.
๐ต In token-based authentication the server issues a token for you and this allows the server to identify you by decoding the token itself.
๐ด Well what's the difference between session based and token based authentication?
Simply put, in session based authentication the server would store your session_id and make a check every time it receives a session_id to validate your identity.
Simply put, in session based authentication the server would store your session_id and make a check every time it receives a session_id to validate your identity.
Whereas in token based authentication, the token is not stored in the server, but is just decoded every time a token is being passed in the request.
๐ด So what if I manipulate the token id with someone else's information?
There are token forgery attacks that can be done as such. To prevent them, applications can strongly encrypt their token or the better way is to encode the token to be read by the the server only.
There are token forgery attacks that can be done as such. To prevent them, applications can strongly encrypt their token or the better way is to encode the token to be read by the the server only.
๐ต But the best way to protect the integrity of a token is to sign it first and verify the signature when it arrives back.
The signature would change if anybody tries to manipulate the token thus stops the token being forged.
The signature would change if anybody tries to manipulate the token thus stops the token being forged.
๐ต It is also to be noted that the user should send the token with every single request to prove their identity. Without this, it would not be possible for the server to identify you.
That's a wrap!
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @thebinarybot for more of these
2. RT the tweet below to share this thread with your audience
Loading suggestions...