Website security without javascript or cookies

O

oopaevah

What are the pitfalls of passing a token in the url once a user is
logged on so I can remember who they are?

I can easily implement this by adding &token=abcdefghijklmnop123 to
each internal link on my web pages once the user is logged on.

I won't be passing the username or password in the url, just a token
that is created when a user logs on. When the server receives the token
it maps it back to the account id. This saves the user from logging on
all the time and also means I don't rely on javascript or cookies.

I can make the token time out after ten minutes of inactivity. I could
also encrypt the client ip address in the token for further security
and check it on the server. Is this wise? How dynamic can IP addresses
be? Can a surfer's ip address change without dialing off and back in to
the isp?

My "token in the url" proposal isn't used by Amazon and that makes me
think I'm missing some security issue. Amazonseem to use cookies for
all but the secure pages and then seem to use a token in the url over a
https link for the more secure pages, which scrambles the token.

Thanks for any insights
 
B

bruce barker \(sqlwork.com\)

as long as they are random, then they are as secure as a cookie over http,
but not as secure as a cookie over https (as the cookie value is encrypted).
your rist is hijacks, either with a sniffer, or guessing the token value.

you can not count on the ipaddress to remain constant, nor that two users
have different ipaddresses (as they my be using the same proxy).

-- bruce (sqlwork.com)
 
G

Guest

If you can't use javascript or cookies, why not just use Session and set
cookieless=true?
Peter
 
O

oopaevah

I want more control and it's simple to achieve the same thing as
cookieless=true without the asp.net session. It just uses the url as I
intend to so there's no point. As much as I love .net I don't like
being hand held through things I can do myself easily.

I will probably use a cookie primarily and only use the url if cookies
are not available. I want my web site to have as much reach as
possible, even out to mobile phone devices with no support for css,
javascript or cookies.
 
O

oopaevah

Thanks for the reply bruce, can you say more about why I can't rely on
a user having the same ip address without reconnecting to their isp?

I don't mind proxies having the same ip address, I just want extra
protection so that the vast majority of people can't hijack a session
by just grabbing the token by network sniffing.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Issue with passing fetched data to POST form. How can I? 0
I need help fixing my website 2
Need tips on adding an auth layer to an existing webapp 1
Get Parameter from URL in JavaScript that starts with # and not ? 1
Collect Excel Data from Website 5
Help with Python Flask on PI as server SSE to website 0
JavaScript Challenge: Validating Email Addresses 1
Need help with this script 4

Members online

Total: 24 (members: 2, guests: 22)
Robots: 422

Forum statistics

Threads
473,770
Messages
2,569,584
Members
45,075
Latest member
MakersCBDBloodSupport

Latest Threads

Top