Comment 9 for bug 861854
Revision history for this message
| Ziad Sawalha (ziad-sawalha) wrote Re: [Bug 861854] Re: Token in URL is a security risk | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
That could be a good solution. It won't need an API change either. Thanks!
On 11/8/11 11:28 PM, "Jorge Williams" <email address hidden> wrote:
>
>The approach is a misuse of HTTPs uniform interface. If it's necessary
>for security reasons then so be it.
>
>That said, I'm wondering if a better approach would be to simply encrypt
>the token in the URI for the purpose of logging. Or better yet (and I
>realize I'm setting the bar high here) encrypt and base64 the token
>before placing it in the URI. The caller's own token can be used as the
>shared secret for the encryption, since it will be encrypted anyway by
>the SSL.
>
>We might use something like this:
>http://
>