Hello all i am making an android app and i want to use sessions stored in my server for an authenticating user every time they send request after login. Now i have one doubt on most of the websites i get to see that you should set expire time on tokens and after that first on every request you should send this token if it is expired now then you will send refresh token from the app and if it is same server will generate again new token. This is a basic approach i have read everywhere for handling sessions for mobile apps now i wanna ask one thing don't you all think if someone cross-engineer my android app now don't you think if he can get his hands on my token then he can also get his hands on on my refresh token now i think in 100% of the cases if someone steal my token then he/she must also get my refresh token so don't you all think that this refresh token thing is doing nothing in security only just increasing little bit of time for a hacker to get it. Now because of this i think setting expire time on tokens is just a wastage now if anyone agrees with me can you all please tell me any alternative for expiring tokens and if anyone don't agrees with me please tell me what i am getting wrong about this refresh token thing and how can i securely use sessions for my android app ??
1 Answers
Similar to Why Does OAuth v2 Have Both Access and Refresh Tokens?
while the access token can be used to access resources, the refresh token is useless unless you also have the client/client_secret.
That, it appears, might not make much sense if you aren't already using oAuth 2.0 to secure your rest service.
Ok, so if this is not oAuth 2.0 - it's a home-grown token-based system, then just implement the same principle. When it's time to issue a renewal token, your "client" should make a special request. A request that is:
(a) unique to the client (can't be copied from the logs and re-posted or hijacked)
(b) encrypted/restricted in a way that makes its use outside of your program impossible (eg include data that only your client/server will know and, more importantly, only the code in your client can send).
(c) tied back explicitly to the original auth_token
This makes the bulk of your requests easy to process (with a standard http header) and the renewal request "useless" unless you have the code embedded in your client.
There are lots of posts on oAuth 2.0 (and how to use it client side), if you decide to implement something standards based.
-
what is client/client_secret can you please elaborate in detail ?? – aman verma Jan 10 '16 at 19:49
-
1Sure. Updated answer. – bri Jan 10 '16 at 20:33
-
Hey thanks a lot man for this answer but again don't you think if somebody reverse engineer my app then he/she has access to everything even if i am encrypting it on my app then in the code he can easily find what secret and which algo i am using and then he will decypt it, actually point i want to convey is that beside saving anything from server saving anything on client (e.g refresh token) is useless because no matter what if one single time my app is reverse engineered than hacker will go to each of my route and see all data which he/she need to send so that to authenticate him ??pls reply – aman verma Jan 11 '16 at 12:27
-
1Of course. But the far more likely scenario is sniffing/watching web traffic (http vs https), trolling weblogs or csrf attacks like [this one](http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html?m=1). Because they're cheap. Each step in the process is meant to (a) prevent a breach and (b) contain breaches as they occur. Maintain one (variable) piece of your "puzzle" server side is the (next) step -- protecting against this (new) vulnerability. Protocols like oAuth are probably further along than you are in thinking this through; maybe use one? – bri Jan 11 '16 at 12:41
-
1On more thought man. Ever consider posting a general "best way to secure a client-side app using tokens" on http://security.stackexchange.com/ ? That community is a great resource for q's like this one. – bri Jan 11 '16 at 12:54
-
also so atleast what i think is i should encypt token and password on mobile side so that i can prevent them from attacks like middleman ?? – aman verma Jan 11 '16 at 13:04
-
thanks a lot man @bri for helping me out here sorry i cannot accept your answer as i am waiting for a more right answer also you are a CEO it is really great of you for giving time on comunity like stack overflow so that people like me can start from the scratch – aman verma Jan 11 '16 at 13:04
-
1No worries. And don't believe they hype. Ceo is just a title like all the others ;-) – bri Jan 11 '16 at 13:40
-
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/100394/discussion-between-aman-verma-and-bri). – aman verma Jan 11 '16 at 15:38