Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security

Andrew Young
PLUS
Andrew Young
Courses Plus Student 639 Points

Token security

I'm building a app which needs token to add/submit some data using node.js

Should I store the token in a hidden field eg.

<p style="display:none;">token</p>

Or should I retrieve it when I need it (submitting data)?

1 Answer

Steven Parker
Steven Parker
231,198 Points

If the token is temporary for the session it probably doesn't matter, but otherwise you might want to avoid "hidden" fields because they are only hidden in terms of not being displayed on the screen. They are still easily read with browser functions or other tools.

Andrew Young
Andrew Young
Courses Plus Student 639 Points

So if it's one time use token it's fine to store in hidden field?

Steven Parker
Steven Parker
231,198 Points

Most likely if it's just used to identify the session. The main thing to consider is: if it were exposed to the user (accidentally or by their action), could that create any potentially serious issue? If the answer is yes, a more secure mechanism is needed.

Andrew Young
Andrew Young
Courses Plus Student 639 Points

How about in my case I'm using the workflow

write-mail button click -> generate token ->send mail request ->auth with token ->send mail (with node.js's nodemailer) ->suspend token

Can I store token in hidden field with this kind of workflow?

Steven Parker
Steven Parker
231,198 Points

It sounds like you don't even need to store it, if the token is generated as part of the submit process. But it still might be a convenience for including it in the submit data.

Andrew Young
Andrew Young
Courses Plus Student 639 Points

I'm generating to prevent some developer directly submit data to the path without permission

Steven Parker
Steven Parker
231,198 Points

But if it is generated in the client, couldn't a developer replicate the generation mechanism? Or did the "generate token" step involve a server request and response?

Andrew Young
Andrew Young
Courses Plus Student 639 Points

My plan is request (post) to a path (eg. /token/req) with the data of the server (hostname, IP) so we check if the server info is registered then pass back a token we generate (random string 24 char)

We generate token by self-designed random string function and store it in database then send back to client