On the page https://developers.pinterest.com/tools/access_token/ you can generate an access token. Does anyone know what the lifetime of that token is? Does it expire after fixed time?
Regards
Ismail
There is currently no default expiration period, meaning they will last forever. That will likely change in the near future, and applied to existing tokens. But for now, they are invincible!
Related
One customer had a problem where an incorrect email (from another customer) was assigned to a case. The incorrectly assigned email is a response to a case that was deleted. However, the current case has the same tracking token as the deleted one. It seems that the CRM system uses the same tracking token as soon as it is available again. This should not happen! Here Microsoft has a real programming error from our point of view. The only solution we see is to increase the number of numbers to the maximum so that it takes longer until all tracking tokens are used up. But in the end, you still reach the limit.
Is there another possibility or has Microsoft really made a big mistake in the way emails are allocated?
We also activated Smart Matching, but that didn't help in this case either, because the allocation was made via the Tracking Token first.
Thanks
The structure of the tracking token can be configured and is set to 3 digits by default. This means that as soon as 999 emails are reached, the tracking token starts again at 1, which is basically a thinking error on Microsoft's part.
If you have set "Automatic replies", these will be reached in the shortest possible time. We therefore had to increase the number to 9 digits, which is also not a 100% solution. At some point, this number of emails is also reached and then emails are again assigned to requests that do not belong together. Microsoft has to come up with another solution.
Can somebody help me out with Laravel's Throttling ? Right now, my website uses throttling to prevent user from logging in for 'x' seconds, if the password they entered are wrong for 'x' number of time.
After logging in, user will require Two-Factor Authentication to update their information but i would like to throttle the Two-FA too, so that they will be locked out from updating their account. I can actually reuse the login's throttling codes to lock the user out but the issue is that, when the user logs out, they wont be able to log in due to the temporary lock.
I would like to create a custom throttle just for Two-FA and probably prevent the user from accessing that specific route for 'x' seconds.
I have tried searching around, but everything is related to login. If somebody could suggest me a package which will fit my requirement or provide a simple tut. will really be helpful to me. Thanks for your time.
This is all outlined in the ThrottlesLogins trait, but I'll try to simplify it even further.
Generate a unique key for the user and type of request:
$key = '2fa:' . $user->id;
Add a hit (increment count) on every request to the endpoint using the Illuminate\Cache\RateLimiter class:
app(RateLimiter::class)->hit($key, $timeoutInMinutes);
Check if the limit has been reached before processing the request:
$bool = app(RateLimiter::class)->tooManyAttempts($key, $maxAttempts, $timeoutInMinutes);
I have a question about Spring MVC controllers scope and REST services. I have a couple of REST services, wich returns a token in the response so I can later recreate the state of the application, but I don't want the users use the same token twice, so I've decided to save an unique identifier inside the token and also in HttpServletRequest, so I can check it when I get the requests (a new identifier is generated in every request).
So, my questions are: 1) is there any other way to be sure that some user will not use the same token more than once (also considered to save that identifier in DB, but I would have lot of queries to insert, delete, verify, etc).2) is it ok for the controller that receives the requests to be a singleton, or should it be prototype? (considering that the identifier is taken from session and I don't want to mix it between different sessions).
A few words on tokens that are valid only once
It's not possible to achieve it
without keeping the track of the tokens somewhere. This security schema require some trade-offs, deal with it.
Give the user a token and keep the track of it on server side, just like a white list:
When a token is issued, add it to the white list.
When a request comes to the server with a token, check the white list and:
If the token is valid, accept the request and remove the token from the white list.
If the token is invalid, refuse the request by returning a proper status code such as 403.
Also, consider assigning an expiration date to the token and refuse any request that comes to the server with an expired token.
Regarding your performance concerns: Bear in mind that premature optimization is the root of all evil. You shouldn't optimize until you have a performance problem and you have proven that the performance problem comes from the way you store your tokens. You could start storing the tokens in the database and then consider a cache in memory, for example. But always be careful when fixing a problem that you currently don't have.
Working with JWT
If you go for JWT, there are a few Java libraries to issue and validate JWT tokens such as:
jjwt
java-jwt
jose4j
The jti claim should be used to store the token identifier on the token. When validating the token, ensure that it's valid by checking the value of the jti claim against the token identifiers you have on server side.
For the token identifier you could use UUID. In Java, it's as simple as:
String uuid = UUID.randomUUID().toString();
Since HttpSession#getId() is unique, you can use it to create an unique token:
// pseudo code
String token = httpSession.getId() + "-" + System.currentTimeMillis();
You can also create your own counter.
Here my two techniques to prevent it
Disable submit button:
We can disable submit button right before our function call HTTP request and enable it again after finish gets HTTP response. This technique is effective for the process that takes a long time to finish (more than 5 sec.). The user can not click n’ click again because of impatience to get the result. Additionally, we may show a loading box for a good experience.
Issue request token/id:
This technique actually more complicated and difficult to implement, but thanks to a good framework (such as Spring Boot) to make this easier. Before we are going to the code implementation, let’s talk about the mechanism first;
When form page is loaded, issue a new requestId
put issued requestId to HTTP header before calling the backend service
backend service identify a requestId is already registered or not
if requestId is already registered then we can mark as a violation request
In our application new JWT token is returned in a cookie each time user sends a request, even though previous has still much lifetime. If user makes multiple request in a short period of time, there exists multiple valid tokens almost full lifetime on each. Browser is of course using the latest one, but someone may still use the previous ones to impersonate user.
Is there way to invalidate the previous token when dispatching a new one, or is the only choice to dispatch new token only when there is not much lifetime on the last one?
The only way to 'invalidate' tokens is by keeping track of them statefully.
This usually means doing something like keeping a key/value cache of tokens that are valid, and invalid, and checking incoming request tokens against these lists on each request.
The downside to doing things this way is that you lose a lot of the 'stateless' benefits of JWTs (since you are still checking a centralized store for token validity), but the benefit is that you can be more 'secure' by immediately revoking tokens you no longer want service-able.
One workaround is to have your access tokens be extremely short lived (5 minutes or so), to minimize any abuse.
I am wondering why codeigniter session time expiration is not calculating from last user activity.This way i can retain active users. Right now even user performing activities, the session gets expired due to the limitation.
I think you are facing a bug.
Codeigniter's session stores the timestamp of your user's last activity.
The framework use this information to calculate the expiration time.
Also, I've read multiple times that Ajax calls may broke CI sessions. I've also been struggling with CI's sessions and i've been forced to pass $config['sess_use_database'] to false as a workaround.
https://degreesofzero.com/article/fixing-the-expiring-session-problem-in-codeigniter.html
https://ellislab.com/codeigniter/user-guide/libraries/sessions.html
https://ellislab.com/forums/viewthread/182755/#900523
You can check whether user is performing activity or not. If not you can ask the process to sleep for 1 sec. This way the session will never expire.
sleep(1);
In PHP this will work. This way you can make the process sleep when user is idle.