sessionToken security

Hi,

We utilize ParseServer in our mobile application and are currently evaluating potential security risks associated with its use.

Every REST API request includes a sessionToken, which is employed to authorize the request on the Parse server and identify the user sending the request. Given that the sessionToken is a long-term token, there’s a concern that if someone were to gain unauthorized access to our _Session table in the database, they could potentially make API calls on behalf of any user.

Are there any measures or future plans in place to enhance session management security?

Thank you,

Jindrich

Hello,

You can set a time to expire for sessionToken.
(For ex daily token)

And no one user doesn’t reach Session table except himself record.

Also you already should arrange ACL for max security.

Also, I can give extra ideas for security if user has been captured his sessionToken.

Every SessionToken must matched one Ip address.

If any request comes by different ip address. (You can check in middleware) you will reset sessionToken and reject this request.

Parse Server offers you the versatility to implement your own authentication adapter that meets your specific security requirement. There is also a number of authentication adapters built-in that you can use - and possibly customize - for your needs.

I’m not seeing an IP Address field on the Session Token object. I thought it might be related to the Installation ID, so I checked that table as well but on IP Address field there either. How are you albe to check the IP Address for a given Session Token?

You can add an IP address field in the collection and after login, you can check every req with an IP address and then release req.

And how to distinct requests from clients and the back-end when directAcccess == false (true is the default btw. the doc on this is incorrect).