Published in Lightrail·Jul 7, 2017Getting Token Authentication Right in a Stateless Single Page ApplicationSingle page application architecture is becoming more prevalent, yet many established patterns to implement authentication security and user experience have not caught up. Patterns used by traditional web applications do not cross over well, or at all, to a true stateless architecture where there is no server-side web session. The…Authentication12 min read
Published in Lightrail·Jun 26, 2017Prevent Business Intelligence Leaks by Using UUIDs Instead of Database IDs on URLs and in APIsLet’s examine an innocuous looking URL that you may see when you are looking at your order history on some e-commerce site: https://www.yourfavsite.com/account/orders?orderid=5963 Speaking strictly from an application security perspective, there is no problem here. As long you’ve done your job on the back end checking that the order’s user…Programming6 min read
