The following Flask RESTful Destroy User Token discusses how to destroy a flask token, however this does not prevent a man in the middle attack. Is there anyway to invalidate the token so it is no longer active before the time it expires?
Asked
Active
Viewed 1,244 times
4
-
If you're not sending session tokens across an encrypted connection, why wouldn't you? SSL is one way to mitigate MITM attacks (prevention is an attainable goal). – Makoto Jan 08 '15 at 00:31
-
I am sending them over SSL. I am using the tokens to connect an ios app to a web backend. I just don't want the case that if someone discovers a token it is still active even after a user logs out. – Adil Ansari Jan 08 '15 at 07:29
1 Answers
5
The tokens shown in the question you referenced are created by adding a cryptographic signature to some data. Typically the data stored in a token includes the token owner (for example the user id), and can also include an expiration date.
The nice thing about these tokens is that all the useful data is stored inside the token, so you do not need to store anything in your database. You just pass the token to the client, and when the client sends it back you decode it and use the information in it to know who the client is.
The downside of this approach is that there is no simple way to revoke a token, because tokens are not stored anywhere. To extend this mechanism to allow revocation, you can add a database table where revoked tokens are stored. Then during token validation you not only decode the token, but also make sure that the token is not in your revoked list.
Another, completely different approach is to not use signed tokens. Just make the token a random UUID and store it in the user table for each user. If you index it, then when the client sends the token you can locate the user with a database search. And then revoking a token is simply done by clearing the token field for the user.
I hope this helps!
Miguel Grinberg
- 65,299
- 14
- 133
- 152
-
Thanks Miguel, that addresses my issue perfectly. Is using a token and then invalidating it like this a secure way to keep a user logged into a web api, via a mobile device i.e keep it in the ios keychain? – Adil Ansari Jan 09 '15 at 07:34
-
@AdilAnsari: it is secure as far as the device is secure. Most apps do not revoke tokens, as far as I know, that is a measure you reserve for when you find out about a breach. You really need to find a balance, you want security, but for most applications you don't want to have to ask your users to provide credentials every time they want to use your app. For a banking app this would make sense, but for something less important that that maybe not. – Miguel Grinberg Jan 09 '15 at 15:15