ASP.NET Core MVC: How to secure token when passing with url
-
i got a application developed with asp.net core mvc where token is always passed with url. it seems if we pass token with each url then it is not secure way. so any time any other user can get url and appear before server as right user. our token life is 24 hours. sample url looks like http://localhost:48000/ACX/Default/Login?token=8kzRLdW8lQVIS0MrtlqdZJbmz9p22l33u1wspGOmLgCgEy2MG5XZ0JG1ovVZGiNX7KpAfBVn3[^]
This code is generating the token which would valid up to 24 hours:
public IActionResult Login([FromBody]LoginModel user)
{
if (user == null)
{
return BadRequest("Invalid request");
}if (user.UserName == "johncitizen" && user.Password == "abc@123") { var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("KeyForSignInSecret@1234")); var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256); var tokeOptions = new JwtSecurityToken( issuer: "http://localhost:2000", audience: "http://localhost:2000", claims: new List(), expires: DateTime.Now.AddMinutes(1440), // valid till 24 hours signingCredentials: signinCredentials ); var tokenString = new JwtSecurityTokenHandler().WriteToken(tokeOptions); return Ok(new { Token = tokenString }); } else { return Unauthorized(); }}
What can we do as a result token would be secure passing through URL? I want to change flow bit in such a way that if another user copy and paste the same URL, then he will not be able to access protected resource. So how to achieve and secure long life token? Please guide me with approach in details. Thanks
-
i got a application developed with asp.net core mvc where token is always passed with url. it seems if we pass token with each url then it is not secure way. so any time any other user can get url and appear before server as right user. our token life is 24 hours. sample url looks like http://localhost:48000/ACX/Default/Login?token=8kzRLdW8lQVIS0MrtlqdZJbmz9p22l33u1wspGOmLgCgEy2MG5XZ0JG1ovVZGiNX7KpAfBVn3[^]
This code is generating the token which would valid up to 24 hours:
public IActionResult Login([FromBody]LoginModel user)
{
if (user == null)
{
return BadRequest("Invalid request");
}if (user.UserName == "johncitizen" && user.Password == "abc@123") { var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("KeyForSignInSecret@1234")); var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256); var tokeOptions = new JwtSecurityToken( issuer: "http://localhost:2000", audience: "http://localhost:2000", claims: new List(), expires: DateTime.Now.AddMinutes(1440), // valid till 24 hours signingCredentials: signinCredentials ); var tokenString = new JwtSecurityTokenHandler().WriteToken(tokeOptions); return Ok(new { Token = tokenString }); } else { return Unauthorized(); }}
What can we do as a result token would be secure passing through URL? I want to change flow bit in such a way that if another user copy and paste the same URL, then he will not be able to access protected resource. So how to achieve and secure long life token? Please guide me with approach in details. Thanks
For a user browsing your site, the token should be sent back in an HTTP-only, secure, same-site cookie. Use cookie authentication without ASP.NET Core Identity | Microsoft Docs[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
For a user browsing your site, the token should be sent back in an HTTP-only, secure, same-site cookie. Use cookie authentication without ASP.NET Core Identity | Microsoft Docs[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
