vendredi 6 mars 2015

Tokens for security

I would like you to answer me some question that I've been asking myself in the last few days. It's regarding the use of tokens for security reasons.


Let's suppose when a user logs in, I store the userID in session. I understand that one reason to use a log in token, is to store it in the DB and in session, and then compare both values when the user requests some resource or action, in order to guarantee authenticity.


Now, what is the problem with simple using the userID value stored in session to guarantee that. Attackers are not supposed to be able to set the victim's ID in session, are they?


In other words, why can't I give the resource to the requester if I have checked that the userID value in session matches his ID, and nobody who hasn't his credentials could have logged in storing that ID in session.


Thanks in advance and regards.





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)