This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 33%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETZ%3C/text%3E%3C/svg%3E)
I have looking into code of a web application where token is generated and injected into url instead of auth cookie for each request token is passed with url to accessed secured action. The web application is using token instead of auth cookie. Token life is one day.
This is a sample url
http://localhost:48000/ACX/Default/Login?token=8kzRLdW8lQVIS0MrtlqdZJbmz9p22l33u1wspGOmLgCgEy2MG5XZ0JG1ovVZGiNX7KpAfBVn3
of that web application where token is passing through url.
This code is generating the token which would valid up to 24 hours:
public IActionResult Login([FromBody]LoginModel user)
{
if (user == null)
{
return BadRequest("Invalid request");
}
if (user.UserName == "johncitizen" && user.Password == "abc@123")
{
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("KeyForSignInSecret@1234"));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var tokeOptions = new JwtSecurityToken(
issuer: "http://localhost:2000",
audience: "http://localhost:2000",
claims: new List<Claim>(),
expires: DateTime.Now.AddMinutes(1440), // valid till 24 hours
signingCredentials: signinCredentials
);
var tokenString = new JwtSecurityTokenHandler().WriteToken(tokeOptions);
return Ok(new { Token = tokenString });
}
else
{
return Unauthorized();
}
}
My question is: when token is passed through the URL, then any other person can get the URL and impersonate the user. I guess passing token through URL is not secure.
What can we do as a result token would be secure passing through URL? I want to change flow bit in such a way that if another user copy and paste the same URL, then he will not be able to access protected resource. So how to achieve and secure long life token?
Please guide me with approach in details. Thanks
if the token is a single-use token then it is ok to send it in URL as JWT tokens are URL safe and base64 encoded. Signed tokens has public/private keys so at the time of validating tokens client data validation happens.
in my case same token is passing with url again & again because token life is 24 hours. so after 24 hours new token will be assign. in the mean time if any user get the url with token then he can appear before website as valid user. so i am trying to know how passing token through user is secure? i guess not secure.
so tell me a approach where i will pass token in url which would valid upto 24 hours but other user can not use that token?
if you understand the use case then please share a solution else i can explain again in more detials.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
As long as you use SSL, the url is protected from other users, but the user has access and can copy, paste and share. That is also actually true of the cookie, but it’s more work (need to copy the cookie and use postman or curl to do the request)
Sir thanks for reply.
in my case same token is passing with url again & again because token life is 24 hours. so after 24 hours new token will be assign. in the mean time if any user get the url with token then he can appear before website as valid user. so i am trying to know how passing token through user is secure? i guess not secure.
so tell me a approach where i will pass token in url which would valid up to 24 hours but other user can not use that token?
if you understand the use case then please share a solution else i can explain again in more details. thanks
Usually a JWT (token) is passed once in a redirect URL from an identity server to your client application. From that point, the client application passes the token in the authorization HTTP header to access secured resources; usually a REST service. The JWT is signed so it can't be tampered and the connection is encrypted.
in the mean time if any user get the url with token then he can appear before website as valid user.
What user? The current user that authenticated?
Can you explain why the token is passed again and again in the URL? What resources does the token secure? A web application? Web API?
here i asked the question that if token passed in url then how could i make it secure ? you suppose to give answer but you are asking me question.
you need to define your security requirements. what are you trying to secure against? the url token if used over ssl is safe from hijacking and network monitoring, but is easily copied and sent to another individual (share page) and valid for the life of the token. is this important?
as suggested, url tokens typically are one time use or very short lifespan.
here i asked the question that if token passed in url then how could i make it secure ? you suppose to give answer but you are asking me question.
There is nothing wrong with asking clarifying questions in these forums. That's what the comments are for.
I re-read your posts. It appears you are trying to make the url secure from copy (share). As suggested this is done with a one use token. That is the token is only valid for one request. the server keeps track of whether the token has been used.
note: this does not prevent sharing, only limits the use of sharing. if you better explained your use case, we could help more.