How to prevent Rest web-service Authentication with stolen Token

Hemant Metalia :

As we know Rest services are stateless, General strategies to authenticate is using a token based authentication.

In login service it takes credentials which returns a token.

This token might be set in client cookies, and all subsequent requests uses this token to be validated and process new request if token is valid.

Now my question is how one can validate the token ? If someone has stolen the token and tries to access rest services with stolen token by just editing cookies then how can it be identified and restricted ?

We can never know if the token is fetched by valid user and same user is trying to access subsequent request. but what are the possible ways to make it more hard, like to verify if the request has came from same source ?

One general suggestion is to set aging for token/cookies, but it still not helpful till the age of that token/cookies.

Any suggestions would be appreciated.

Hemant Metalia :

After struggling through various approach We found a solution explained below:

1. We store token (encrypted) in cookies on login request and for each subsequent request this cookie gets validated.
2. The problem was if someone replace the token in cookie with another valid token, as cookies are maintained by client browser.

Solution :-> Though token values were encrypted, it was representing only one value, So if one replace whole encrypted value with another valid encrypted value it can be hacked.

So to solve this we have added another cookie which was combination of multiple values.

e.g.

Cookie 1 -> encrypted token

Cookie 2 -> An encrypted object containing information like username+ some other user context details+token

So in case of Cookie 1, it was easy to replace with another encrypted value as it was representing only one token though it was encrypted.

But in case of Cookie 2, it was containing object with multiple values, so only token value can not be modified, encrypted and set back in same cookie.

Before authentication We are doing decryption whole cookie 2, fetch token part from it and validate the token part of it against cookie 1.

That has solved our problem !!

Thanks all for your time and guidance.

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=418523&siteId=1

How to prevent Rest web-service Authentication with stolen Token

How to prevent SMS verification code from being stolen by others

How to prevent corporate internal training videos from being stolen and downloaded?

How to prevent the exclusive legendary version from being stolen?

How to prevent the SMS interface from being maliciously invoked and attacked to prevent the verification code SMS from being stolen?

Json Web Token authentication

Based JWT (JSON Web Token) of the authentication token

Java Web Token authentication mechanism

How to pass authorization token in header in Rest assured?

REST and authentication

token authentication

Web authentication and session maintenance (session, token)

Token-based WEB background authentication mechanism

PostMan test REST interface when and how to bypass login authentication

How swagger join Authentication token value in the UI interface

How to debug "Unable to process JSON" error, while calling my web-service using Postman?

REST service call with Camel which requires authentication api called first

错题集：The authentication token issued by the Identity service has expired in keystone

REST API Signature Authentication

How to log time taken by Rest web service in Spring Boot?

Implementation of jwt (json-web-token) in rest --jersey

JWT implement token authentication

Be token based authentication restframework

Login token authentication mechanism

Authentication token Auth

Based on the principle of authentication token

Pulsar Token Authentication

Angular the jwt token authentication

the authentication token vue cli

Simple Token authentication process