I see that the user can use the same token more than once. So when I am sending a request and set up a small packet sniffer to see
the request I can get hold of the token. As we know the contents of GET and POST are visible. The adversary could then use the token for whatever he wants. Isnt this insecure?

Comments

Mark Theunissen’s picture

Mark Theunissen commented

It is less secure than using a regular login/password, but not entirely for the reasons you're listing. A packet sniffer can also sniff cookies, and a stolen cookie is as good as a token, allowing the attacker to login as the user. The real issue is that the token is visible in the URL, which is stored in logs all over the place. I suggest using HTTPS for token based auth.

gogowitsch’s picture

gogowitsch commented

It is not insecure unless it's used outside of its purpose - which is identification as a particular user. This user's roles should not have any special rights. In particular, the token's owner should not be allowed to delete content or change the site's configuration.

My use case is a questionnaire. We invite everyone via his or her token. Later, we want to know who needs to be reminded to fill it. We don't worry at all about the token getting into the wrong hands.