tag:blogger.com,1999:blog-15136575.post7110162054317499497..comments2023-10-17T12:00:16.772+01:00Comments on Code rant: JSON Web Tokens, OWIN, and AngularJSMike Hadlowhttp://www.blogger.com/profile/16441901713967254504noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-15136575.post-41712318764743057362016-03-30T09:50:47.486+01:002016-03-30T09:50:47.486+01:00@Sarunas Valaskevicius - Who writes these cheat sh...@Sarunas Valaskevicius - Who writes these cheat sheets? Local storage is discounted because of XSS and local user access, but the suggested alternatives, cookies and session storage, share the same "vulnerabilities". The technology that might actually help, https with public key pinning, escapes a mention.Simonhttps://www.blogger.com/profile/00633666632568203068noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-43464833609034898592014-12-30T11:25:09.467+00:002014-12-30T11:25:09.467+00:00About the token expiration.. let's say I set i...About the token expiration.. let's say I set it to expire 30 minutes after it was issued. Then in the middleware I'm already checking if the token is valid and will also need to check if it is expired or not.<br /><br />Now... to prevent the user from logging in again every 30 minutes I could check if the token is about to expire (eg: will expire in 5 minutes or less) and automatically generate a new one that is valid for another 30 minutes and return it with the response.<br /><br />Is this "automatic token renewal" bad practice? I know it doesn't solve all problems, in some situations the user might take a long time to do something that interacts with the server and in this moment the token will already have expired and a new login will be needed.Unknownhttps://www.blogger.com/profile/09124961180616087403noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-15449894393886566752014-11-02T11:19:22.117+00:002014-11-02T11:19:22.117+00:00This is the article i was looking for couple of da...This is the article i was looking for couple of days. I am very newcomer to angularjs & web api world. It would be better for me if there is a download link. Would you please let me download this project?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-55907529296469644142014-10-23T14:04:53.956+01:002014-10-23T14:04:53.956+01:00Is it best practice to store your token in session...Is it best practice to store your token in session or local storage due to security reasons? If not what is the preferred way?Anonymoushttps://www.blogger.com/profile/07759740107342445211noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-63447752284935377222014-08-01T13:02:48.088+01:002014-08-01T13:02:48.088+01:00Just a question here. Sure the Asp.net model was a...Just a question here. Sure the Asp.net model was always wrong, and thats a reason why I never worked with it, and having worked with servlets (mvc) it made it even more dificut to accept the Asp.net model. But since you come from a SOA background, didnt you have that server client separation as well? and if so, why use owin?Marconoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-68078208672411263452014-07-18T15:23:21.265+01:002014-07-18T15:23:21.265+01:00Great post. I am curios as to how you would preve...Great post. I am curios as to how you would prevent a replay attack - can't I just grab the tokens from sessionStorage start fire off POSTS?Doggie Senseihttps://www.blogger.com/profile/06395943098362408174noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-45652271600248962652014-06-20T05:23:49.741+01:002014-06-20T05:23:49.741+01:00Thanks for this post. However, I was wondering if ...Thanks for this post. However, I was wondering if you stick the token in the browser sessionStorage/localStorage then how do you prevent another malicious web app from iterating through all items in the localStorage and replaying them ?Raghuhttp://raghurana.comnoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-68258160712128361412014-06-05T14:12:57.559+01:002014-06-05T14:12:57.559+01:00Adrian: You can use localStorage instead of sessio...Adrian: You can use localStorage instead of sessionStorageAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-76946948932376357242014-05-18T05:18:29.944+01:002014-05-18T05:18:29.944+01:00What if you need a "remember me" feature...What if you need a "remember me" feature? Afaik session storage is gone when you reopen the browser (or a new tab).Adrian Haranoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-8417725405392335432014-05-09T13:50:39.554+01:002014-05-09T13:50:39.554+01:00Excellent post, and very familiar to what I'm ...Excellent post, and very familiar to what I'm doing lately so thank you a lot :)Anonymoushttps://www.blogger.com/profile/17889952843101575536noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-82014641842681147012014-05-02T09:35:31.053+01:002014-05-02T09:35:31.053+01:00Using a token instead of a cookie has an additiona...Using a token instead of a cookie has an additional advantage. Using cookies in subdomains, when an attacker puts a cookie for a root domain puts your app in a situation when it receives two cookies, indistinguishable on the server side. Using tokens, and holding its value in your app is free from this danger.<br />I'd consider using cookies for authentication in SPA apps as an obsolete mechanism.Scooletzhttp://blog.scooletz.com/noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-25535760955373437212014-04-30T17:30:34.251+01:002014-04-30T17:30:34.251+01:00You may want to check this out as well:
https://g...You may want to check this out as well:<br /><br />https://github.com/NancyFx/Nancy/wiki/Token-Authentication<br /><br />I imagine at some point, there may be some convergence between Jonathan's Owin.StatelessAuth library and this one. <br /><br />--JeffJeff Doolittlehttps://www.blogger.com/profile/01803100487632320638noreply@blogger.comtag:blogger.com,1999:blog-15136575.post-45908150164337576792014-04-29T12:41:22.441+01:002014-04-29T12:41:22.441+01:00If anyone is interested I created a library a few ...If anyone is interested I created a library a few days before this post doing something similar. You could use Mikes JWT stuff and implement it in ITokenValidator https://github.com/jchannon/Owin.StatelessAuthJonathan Channonhttp://blog.jonathanchannon.comnoreply@blogger.comtag:blogger.com,1999:blog-15136575.post-92023565600778232282014-04-29T12:25:59.678+01:002014-04-29T12:25:59.678+01:00Really great post!Really great post!Jonathan Channonhttp://blog.jonathanchannon.comnoreply@blogger.com