Is using a long string in a GET variable a secure way of identifying a user?
I am making a Twilio app. Twilio can send a request to the server after a call is over, but it isn't able to be associated with the logged in user of my website because Twilio is making an independent request. If 开发者_开发问答I were to tell Twilio to post something at
example.com/response.html?token=ba38pgab38g4agdusoehle8qihxs&data=somedata
and then use this token as a way of verifying that this Twilio request is associated with a user, is that secure?
I have seen this technique used before on password reset forms. An email will contain a link, and the user's identity is confirmed only using the token.
Is doing this in my Twilio app secure? Are there any gotchas to note?
It's as secure as any other request to your server from a remote HTTP client (like a browser). If you want to make sure that no one between Twilio's servers and yours can read the request, you should use HTTPS/SSL.
For this use case, it's probably better to associate the CallSid value that's sent with every request to your server with the user in your system. When the StatusCallback for a completed call fires, look up the user associated with that call and act accordingly.
A few of the browser-based single sign on protocols like OpenID and SAML use a similar technique to track state when redirecting between the site you're trying to authenticate to and the site doing the authentication. I think the technique is good enough for what you want to achieve.
I'm not familiar with Twilio, but I'd be careful about using to identify a user though. Generating a unique code (aka nonce) for every request and having Twilio pass that nonce back in the response would be more secure, as it only identifies a particular request. It might be overkill though.
精彩评论