3

This is an existing system with a login screen, now I expose some services as REST service. I build an authentication-token login system for this Rest(jersey) service. User sends username-password then server returns a token calculated as;

sha1(username+password+currenttime(or any random number))

User will use this token to login the app for further requests. And server keeps a copy of the token in the database with a time stamp and user id, and logins that user if timestamp is valid.

Considering HTTPS will be used, a few questions;

Does everything looks ok in my design? (generation of hash and the way I save in DB) Looks to me the weakest point is I need to send plain username and password over POST request, but since it is HTTPS I guess it will not be a problem.

another thing, for the first request, since it is an existing system I dont have the user passwords in my DB but keep a salted hashed version of them. Which I guess not safe to give all the clients this salted algorithm to send me a hash of their passwords so I compare hashs but not the passwords. does this make sense=

Improve this question
1
  • 1
    There's no need to calcuate a token using SHA1, username and password. A randomly selected number will be similarly secure. Commented Dec 26, 2012 at 13:58

2 Answers 2

Reset to default
1

1/2- I'd suggest POSTing the username/password to the server, which can then return the token in the body. Makes most sense to me: you're not actually storing much on the server, so PUT would be wrong, and a query parameter doesn't make sense at all. Headers are supposed to be somewhat consistent across requests, so they don't make sense either. When actually communicating using the token, feel free to use a query parameter or header. Doesn't really matter.

3- I'd pick a slightly longer hashing algorithm (sha256?)

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

tnx when client makes a request with a token later for example updating his account. I use PUT but not POST, is that ok?
PUT/POST doesn't really matter security-wise, it's just the semantics of those methods that differ.
I use a POST to send the password, username/pass in HTTP Authoraztion Basic header and receive token in body. later client will POST/PUT tokens in a custom header. correct?
Don't use headers to exchange username/password information. It just doesn't make sense.
doesnt HTTP Authoraztion Basic header meant to send user name passwords? so why it does not make sense?
|
1

  1. I would typically pass the token in an HTTP header.

  2. Whether you use POST or PUT shouldn't matter.

  3. Something else I would suggest to help prevent replay type attacks would be to include a nonce (ever increasing value) with each POST request. The server would then track the last used nonce and prevent any requests that use a previously used nonce from executing.

Improve this answer

4 Comments

tnx, for 1, using HTTP authorization basic header gives any benefit, or any header is Ok
Any system that involves a nonce value would need a shared secret that's not sent with each request. This would seriously complicate this system, and it's not really necessary because nonces aren't that useful when used on HTTPS.
@Spring - any header should be fine.
@Tom - agreed, it's probably unnecessary over HTTPS, but curious why an additional shared secret would be necessary. Seems like the authentication token would be sufficient (unless you wanted to use HMAC or something similar to "sign" the data)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.