undefined | Better HN

0 pointsshkkmo2y ago0 comments

It can be OK to put authentication tokens in urls, but those tokens need to (at a bare minimum) have short expirations.

0 comments

>It can be OK to put authentication tokens in urls

When would this ever be necessary? URL session tokens have been a bad idea ever since they first appeared.

The only things even near to auth tokens I can reasonably see stuffed into a URL are password reset and email confirmation tokens sent to email for one time short expiration use.

Outside of that, I don't see any reason for it.

albert_e2y ago

"presigned" URLs[1] are a pretty standard and recommended way of providing users access to upload/download content to Amazon S3 buckets without needing other forms of authentication like IAM credential pair, or STS token, etc

Web Applications do utilize this pattern very frequently

But as noted i previous comment these do have short expiry times (configurable) so that there is no permanent or long-term risk on the lines of the OP article

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-...

vin102y ago

You are right about short expiry times but another catch here is that if pre-signed URLs are being leaked in an automated fashion, these services also keep the downloaded content from these URLs around. I found various such examples where links no longer work, but PDFs downloaded from pre-signed URLs were still stored by scanning services.

From https://urlscan.io/blog/2022/07/11/urlscan-pro-product-updat...

> In the process of scanning websites, urlscan.io will sometimes encounter file downloads triggered by the website. If we are able to successfully download the file, we will store it, hash it and make it available for downloading by our customers.

couchand2y ago

Indeed, the only valid operation with the magic URL is exchanging the URL-based token with something else (your PDF, a session token, etc.) and then expiring the URL, so by the time the scanner gets around to it the original URL is invalid.

1 more reply

albert_e2y ago

Aha. That is an interesting issue indeed.

knome2y ago

Interesting. I haven't built on s3, and if I did my first instinct would probably have been to gate things through a website.

Thanks for sharing your knowledge in that area.

dylanowen2y ago

They're useful for images when you can't use cookies and want the client to easily be able to embed them.

j / k navigate · click thread line to collapse

0 comments

knome2y ago

>It can be OK to put authentication tokens in urls

When would this ever be necessary? URL session tokens have been a bad idea ever since they first appeared.

The only things even near to auth tokens I can reasonably see stuffed into a URL are password reset and email confirmation tokens sent to email for one time short expiration use.

Outside of that, I don't see any reason for it.

albert_e2y ago

Web Applications do utilize this pattern very frequently

But as noted i previous comment these do have short expiry times (configurable) so that there is no permanent or long-term risk on the lines of the OP article

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-...

vin102y ago

From https://urlscan.io/blog/2022/07/11/urlscan-pro-product-updat...

couchand2y ago

1 more reply

albert_e2y ago

Aha. That is an interesting issue indeed.

knome2y ago

Interesting. I haven't built on s3, and if I did my first instinct would probably have been to gate things through a website.

Thanks for sharing your knowledge in that area.

dylanowen2y ago

They're useful for images when you can't use cookies and want the client to easily be able to embed them.

j / k navigate · click thread line to collapse