2

Token based auth works like this way

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.

how this could be consider as secure because when server issue token to client then in the middle any hacker can steal that token and appear before a server as a valid client. so tell me how to generate theft proof token ?

discuss how very secured way token can be pass back & forth between server & client so middle man can not hack.

Mou
  • 15,673
  • 43
  • 156
  • 275

1 Answers1

1

It's secure if the connection itself is authenticated and encrypted, and that's what HTTPS is for.

Authentication with a valid certificate ensures that the server the user is connecting and sending their credentials (password or token) to is the server they expected to get (...at least as long as the certificate authorities are trustworthy).

Encryption ensures that somebody listening in on the traffic won't be able to see any secrets.

Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
  • so u mean to say if we use HTTPS instead of HTTP then token will be secured. say for any reason we can not use HTTPS then how could we secure token from evil eyes ? is there any work around ? – Mou May 13 '15 at 20:22
  • If you don't want to use HTTPS you have to come up with another implementation of authentication and encryption. But making secure cryptosystems is hard, so it's best to stick to proven standards if by any means possible. – Matti Virkkunen May 13 '15 at 20:25