php - REST authentication -
with restful authentication in javascript application, state kept @ client. requests server should independent 1 , authentication should happen on every request.
this mean password or accesstoken (social media auth) stored @ client in form of cookie. there doesn't seem way around it.
cookies still considered "public" in terms of security because possible xss attack give attacker access cookie.
in database on other hand, password / accesstoken should stored in encrypted form well.
so don't understand. not make sense encrypt password / accesstoken , store in cookie. if attacker gets his/her hands on cookie, user's encrypted credentials unsafe, , can used matched against encrypted password stored in database.
one way or another; if cookie gets stolen, attacker has same access rights user. how can prevent happening?
note want use restful authentication user authenticates on every request independently.
Comments
Post a Comment