REST: Authentication ticket

Lithium Alumni (Retired)

8 years ago

It's a clever hack but please beware of couple of things:

1. Adding any portion of user controlled input can introduce potential for security issues such as cross site scripting. In this case the action ticket is being carved from the URL and injected into the page DOM which might result in injection. The cleanest way to avoid injection might be to html encode the ticket value. The action ticket should never contain special characters. The action ticket might have an underscore but that char is usually not encoded which should make things easier.

2. The action ticket is basically there to provide an anti-automation mechanism and also used as a CSRF ticket. There are various action tickets are there considered sensitive and some that are considered non-sensitive. In this case this action ticket is associated to a non-sensitive action such as marking things read/unread (and that's why it's exposed in the URL). It should be noted that exposing sensitive action tokens is not a good idea and should never be put into the URL where is can be unintentionally exposed. The Lithium platform will never do this by design, however, Devs need to be aware of this risk.

-FK

Forum Discussion

REST: Authentication ticket

Related Content

Authentication: REST API and SSO

API Authentication

facebook authentication rest api

Rest Apiv2 to retrieve messages with authentication

Can someone walk me through authenticating and using Postman with Aurora?

Recent Discussions

How to fetch all labels associated with TkbArticlePage and count how many times each label is used

In Aurora, add additional <script> and <meta> tags

Setup content filter for arabic language

24.10 API change breaks navigation

How to create/subscribe the Webhook in Aurora