0

In my app (and website) a user logs in with their email to perform actions like making a comment on the website under their name. Obviously it is important that malicious people cannot pretend to be this user and send comments on their behalf.

I read that any state changing actions should never be performed by a GET request. What is to stop someone from creating a POST request using the authenticated user's email address? Is it possible for someone to tell my website to perform a POST request and spoof the inputs?

In my database I am thinking of storing some kind of token to validate a user (lets call the token authentication_token). For example, every time a user logs in, authentication_token is updated in the database for the user and sent back to be stored in a SESSION on the website or in the app. Now everytime a request is made (for example making a comment), the stored SESSION is checked in the database to make sure it matches before proceeding to make the comment.

  1. User presses "Submit comment" button on website or in app
  2. POST request is sent with inputs user_email, comment, and authentication_token
  3. SELECT authentication_token FROM Users_Table WHERE email=user_email
  4. Proceed to step 5 only if the retrieved authentication_token matches authentication_token that was sent in the POST request.
  5. Create the comment.

Is this a secure way to validate an action? Is transfer of authentication_token safe over https? Thank you for any help.

  • Some good answers for GET vs POST here: https://security.stackexchange.com/questions/30754/is-there-a-difference-between-get-and-post-for-web-application-security?noredirect=1&lq=1 – R15 Nov 30 '17 at 07:51

1 Answers1

4

In my app (and website) a user logs in with their email to perform actions like making a comment on the website under their name. Obviously it is important that malicious people cannot pretend to be this user and send comments on their behalf.

I read that any state changing actions should never be performed by a GET request. What is to stop someone from creating a POST request using the authenticated user's email address? Is it possible for someone to tell my website to perform a POST request and spoof the inputs?

Yes, an attacker can certainly craft any request they want.

You are on the right track, but what you've done is reinvent sessions. The user provides authentication information (generally a username and password), you create a session and send it back to them as a cookie value, and then every subsequent request comes with the session id and you verify it against your session database to know who the request came from.

Is transfer of authentication_token safe over https?

This is a session stealing attack, popularized by Firesheep. Using https is the generally accepted mitigation. Attacks tend to try to avoid https, eg via sslstrip, so you should abide by https best practices, like HSTS.

Xiong Chiamiov
  • 9,402
  • 2
  • 35
  • 78