Mark Mark - 1 month ago 8
HTTP Question

Render html views for multiple clients

I'm writing a

Node.js
server that answers to HTTP GET requests with a dynamic HTML page, rendered "on-the-fly" with some data retrieved according to the client requests.

To identify each client I use a session token (JWT) and this is sent back to the server as query parameter in each GET request, along with the other information, i.e.:

my.domain/api/service?token=blablabla&req=123


It works, indeed. I wonder if sending the session tokens as query parameters is a good (and safe) idea.
I would send it in the headers, but it's harder on the client's page because now I just set an
href
tag to the url above.

Do you recommend another way?

Answer

Security wise, doesn't really matter how you send it, as long as it doesn't contain sensitive information (e.g password) because it's not encrypted, it's encoded and token can be decoded very easily.

Even if someone (hacker, user etc) alters the token, server will verify and notice that (if you've set up verification correctly) and you can deny access to page, media, data or whatever your user requests.

Important! Use SSL! Otherwise hacker can steal the token from its owner and use it himself, server only checks if it's valid and not altered, not where it came from. Read more: man-in-the-middle attack


How you do it, is totally up to you and your project, however I would personally send it via header.

Comments