1

I am trying to integrate signalR with an existing Single Page Application. So I have an ASP.NET application that hosts a signalR hub class. My JavaScript client attaches to the hub and waits for a notification. It works so far. But the problem comes when I try to make authentication. I need only authenticated users to be able to deal with the hub. Our authentication is with an access token. From all examples over internet I found that this token could be sent to the hub by a query string.

    $.connection.hub.qs = "Bearer=" + authService.accessToken;

But the problem here is that this token could be seen in every tool that can observe the HTTP requests. So how can I protect or avoid this to happen.

From all the posts I found there are examples with 

    var authenticationTicket = Startup.AuthServerOptions.AccessTokenFormat.Unprotect(token);

It seems the token has been protected. But there are no examples how ?

Is there a clean example of this?

Thanks!

Nikola Cekov
  • 11
  • 2
  • 1
    What about using HTTPS? – xleon Nov 02 '16 at 13:07
  • http://stackoverflow.com/questions/499591/are-https-urls-encrypted if you're using HTTPs even the URL is encrypted. The only person that would ever see the token would be the client and server (assuming correct SSL/TLS implementation of course). – Kritner Nov 02 '16 at 15:38
  • To clarify vs what the prior comments suggest, you're more concerned with malicious capture of the access token directly inside the client browser--cross-site request forgery and/or things like browser extensions obtaining the access token? – UtopiaLtd Nov 02 '16 at 21:39
  • Hello, if I use https will the query string be secured and not visible through Fiddler for example. And yes, I am more concerned with malicious capture of the token – Nikola Cekov Nov 08 '16 at 08:03

0 Answers0