URL token validation: Add more parameters like user_id and URL to token?

Comments

2 comments

  • Taylor

    hey @ianfs would you mind shooting this over to support@fastly.com? We'd be happy to help out. Most likely will involve working with your service directly, so we want to make sure to keep that private.

  • Florian Scheel

    We think we might have found a good solution that I'd like to share with you guys for discussion:

    1. Users of our service go to www.ourdomain.com/landingpage.html.
    2. They log in with their credentials and we store a session cookie which's value looks like this: <user-id>_<timestamp>_<sha256-hash>, where <user-id> is the plaintext user id, <timestamp> is the Unix time of expiration followed by a <sha256-hash> of the user-id, the timestamp, and a secret stored on our web server and in the VCL config.
    3. After a user successfully logged in, the above /landingpage.html shows links to subdomain.ourdomain.com which itself points to Fastly.
    4. The link like for example subdomain.ourdomain.com/subdomain-landingpage.html contains a token in the form of <timestamp>_<sha256-hash>, where <timestamp> is the Unix time of expiration followed by a <sha256-hash> of the user-id, the timestamp, the URL path, and a secret stored on our web server and in the VCL config.
    5. When a user navigates to a link on subdomain.ourdomain.com, Varnish will first verify the cookie.
    6. If the cookie is OK, Varnish will verify the URL token.
    7. If either of the tokens cannot be verified, the user will get redirected back to www.ourdomain.com/landingpage.html where the session can be renewed, links can be regenerated, and/or an error message can be shown to the user.
    8. If both tokens can be verified the HTML page will be delivered to the user's browser. Subsequent requests for resources and other URLs not of type subdomain-landingpage will only contain the cookie, but still, the user can be verified this way.

    @Taylor_Mello FYI, I contacted the support as suggested, the ticket number is 31782.

Please sign in to leave a comment.