Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialAndrew Young
Courses Plus Student 639 PointsToken security
I'm building a app which needs token to add/submit some data using node.js
Should I store the token in a hidden field eg.
<p style="display:none;">token</p>
Or should I retrieve it when I need it (submitting data)?
1 Answer
Steven Parker
231,269 PointsIf the token is temporary for the session it probably doesn't matter, but otherwise you might want to avoid "hidden" fields because they are only hidden in terms of not being displayed on the screen. They are still easily read with browser functions or other tools.
Andrew Young
Courses Plus Student 639 PointsAndrew Young
Courses Plus Student 639 PointsSo if it's one time use token it's fine to store in hidden field?
Steven Parker
231,269 PointsSteven Parker
231,269 PointsMost likely if it's just used to identify the session. The main thing to consider is: if it were exposed to the user (accidentally or by their action), could that create any potentially serious issue? If the answer is yes, a more secure mechanism is needed.
Andrew Young
Courses Plus Student 639 PointsAndrew Young
Courses Plus Student 639 PointsHow about in my case I'm using the workflow
write-mail button click -> generate token ->send mail request ->auth with token ->send mail (with node.js's nodemailer) ->suspend token
Can I store token in hidden field with this kind of workflow?
Steven Parker
231,269 PointsSteven Parker
231,269 PointsIt sounds like you don't even need to store it, if the token is generated as part of the submit process. But it still might be a convenience for including it in the submit data.
Andrew Young
Courses Plus Student 639 PointsAndrew Young
Courses Plus Student 639 PointsI'm generating to prevent some developer directly submit data to the path without permission
Steven Parker
231,269 PointsSteven Parker
231,269 PointsBut if it is generated in the client, couldn't a developer replicate the generation mechanism? Or did the "generate token" step involve a server request and response?
Andrew Young
Courses Plus Student 639 PointsAndrew Young
Courses Plus Student 639 PointsMy plan is request (post) to a path (eg. /token/req) with the data of the server (hostname, IP) so we check if the server info is registered then pass back a token we generate (random string 24 char)
We generate token by self-designed random string function and store it in database then send back to client