0

I'm securising my RESTful php API by autorizing only HTTP requests with a valid access token in the header. I added to all my AJAX requests the header with the token:

   $.ajaxSetup headers:
     auth_token: auth_token

In order to secure the image access, I wanted to use the same logic and add the token in the request header. Apparently, I can do that only with an AJAX request and Base64 image data:

   $.get url, (imageData) =>
     $image.attr src: "data:image/jpeg;base64," + imageData

I'm not sure about the performance? Because my images size are between 12 bytes and 4mb and also, I want full mobile support.

The other way I found is with queries string:

  $image.attr src: 'image/12.jpg?auth_token=' + token

It's working great, except the fact that my image won't be cached when the token changes.

What options are left?

SuperSkunk
  • 1,268
  • 12
  • 24

1 Answers1

1

You could use a cookie. The first request sets the cookie (like a session cookie) that you sign so it can't be faked. Then for image requests, or any other requests for that matter, check the browser sends that cookie with the right code that you can link to the original request. This way you only need the token on the first request.

Pascal Belloncle
  • 11,184
  • 3
  • 56
  • 56
  • Well I have my a cookie setted but I check if my token (from the headers) corresponds with the token in session/cookie. Is it unecessary? – SuperSkunk Jan 25 '13 at 23:01
  • I would think checking for the presence of either is enough. cookies are just one more thing in the http header of the request. – Pascal Belloncle Jan 25 '13 at 23:16