0

We are creating a software application (using node-webkit), with uses a backend database in an Apache server, using Symfony as the framework of choice. The users log in using a serial number. Now since there won't be any sessions/expiration, etc, what we are currently doing is we are resending the serial number from the application to the server with every single operation. It works, but I'm sure this is not the best practice. Any simple sniffing can reveal the serial number. What is the best way for authentication in this case? (we do not want to be using sessions)

Appreciate it

Improve this question

2 Answers 2

Reset to default
2

Instead of handing back a serial number you hand back a Json Web Token (http://jwt.io/). The token payload would consist of the serial number as well as the requesting origin.

The client then returns the token on each request. JWT's are signed so even if someone else grabs the serial number out of the token they could not change the origin without it being detected. Your server uses a secret key to generate and verify the signatures.

By the way, any time you are transferring something sensitive (such as a serial number) you should always use https. Does not really matter how you try to hide something, sniffers can always grab it.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Can you explain this further "JWT's are signed so even if someone else grabs the serial number out of the token they could not change the origin without it being detected". Why can't he just resend the token as it is, to get access.
The token has a payload which could include the serial number as well as the origin of the request. So someone submitting the token from a different origin would also have to spoof the origin to gain access. Not all that hard but one more step at least. Bottom line: if you want a secure connection then you must use https.
Surely I will use https. If I do, then there's no point of using tokens, I can just send the serial number as a post variable in every request?
Yep. There is additional information such as permissions which might be convenient to store in a token and save having to look it up on the server side for each request.. But if you don't need any of that then using https plus your serial number is fine and is as secure as other approaches.
That wraps it up nicely. Thanks!
2

What you have described is really how sessions work, except most commonly use cookies to send the session id instead, but it must be sent per-request as http is stateless. (except the session id is random)

You can try using OpenAuthentication (OAuth). There is a popular bundle called FOSOauthServer.

OAuth has different grant types. grant type password is the closest but expects a username/password sent. Password could be blank and the username could be the serial number, however it's best to create a custom grant type to look up the user via the serial number instead. See here.

You can use the serial number to generate an authentication token for subsequent access. there should be some client side implementation for node you can use to handle all this but it's rather trivial.

this way the authentication token that is returned is sent in the http headers and there is no exchange of the serial number.

Also note that the authentication key does expire but there is a refresh token for that.

Further, you should use https to secure the connection if you're worried about sniffing anyway.

Example Request with custom grant type using FosOauthServer:

http://localhost:8000/oauth/v2/token?client_id=1_2n0hvjywrfeoowswk84ggcs0cwwwccwg80g4s4kw04g0o0kos4&client_secret=60m8u9xkzns4gwos4csw40o0ccwg4cgkksggwgwcgcc0s0ksog&grant_type=http://custom.com/grants/serial&serial=123456

Response:

{
"access_token": "NjY2MzA3NzE5OWI2YjdhNWViYTg0MmI2NmIyNDE5MjAyNWM4OTcxMzg1MjY2ODk3NmZiNDIwODM0Y2VmNmZkMg",
"expires_in": 3600,
"token_type": "bearer",
"scope": null,
"refresh_token": "ZWRjNWNhMjcxYzRhNWNjNzk3ZmQzMzM5ODgzYzI1YzNlZjcwNzhkYjNhNjA2YzNiZTY0MTM5ZDllYWNhYzliMg"
}

Now for the secured URLs you add the token to the http header per request. Or Alternatively use a OAuthClient to do it for you and handle refresh.

Authorization Bearer NjY2MzA3NzE5OWI2YjdhNWViYTg0MmI2NmIyNDE5MjAyNWM4OTcxMzg1MjY2ODk3NmZiNDIwODM0Y2VmNmZkMg
Improve this answer

1 Comment

Thanks for the elaborate answer. Something to clear up my fundamental understanding of tokens. Clearly the whole purpose of this is to hide away sensitive information (serial #) being exposed in every operation. But doesn't the same apply with tokens? I mean, the sniffer can grab the token and use it for access. If you say that the token has an expiry date, well the sniffer also will have access to the refresh token, so he basically got what he needs to access the server. Please explain

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.