Hi Sameera, Are those verification keys passed having any sensitive informational value?
If yes, I do not think that passing as url parameters is the recommended approach where as storing them in a session level cookie can be the correct approach. Following can be helpful to you on this issue. [1] http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https [2] http://security.stackexchange.com/questions/29598/should-sensitive-data-ever-be-passed-in-the-query-string Hope this helps. Thanks. *Dilan U. Ariyaratne* Software Engineer WSO2 Inc. <http://wso2.com/> Mobile: +94775149066 lean . enterprise . middleware On Fri, Nov 28, 2014 at 1:06 PM, Roshan Wijesena <[email protected]> wrote: > Can't we set your key in authorization header as a bearer token? > > On Fri, Nov 28, 2014 at 9:05 AM, Sameera Jayaratna <[email protected]> > wrote: > >> Hi, >> >> I'm working on Password recovery for ES, following [1]. >> >> According to [1], in the sequence of calls to the >> *UserInformationRecoveryService, >> *the key generated in one call needs to be passed to the next call for >> verification. These calls occur in different views, so we need to pass the >> keys from one view to the next. >> >> What is the best way to do this? >> >> >> - passing as url parameters? >> - storing them in the session? >> >> Is there any security concerns related to either approach? >> Or is there a better way to do this? >> >> Any thoughts on this would be helpful. >> >> Thank you, >> Sameera >> >> [1] https://docs.wso2.com/display/IS500/Recover+with+Secret+Questions >> >> -- >> >> >> >> *Thanks & Regards,Sameera Jayaratna Software Engineer; **WSO2 Inc. * >> >> *lean . enterprise . middleware | http://wso2.com <http://wso2.com> * >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Roshan Wijesena. > Senior Software Engineer-WSO2 Inc. > Mobile: *+94719154640 <%2B94719154640>* > Email: [email protected] > *WSO2, Inc. :** wso2.com <http://wso2.com/>* > lean.enterprise.middleware. > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
