Could you add tokenauth to your matrix? Or explain the difference here?

Comments

andrewfn’s picture

andrewfn commented

Thanks for pointing it out. I'll take a look at it and get back to you.

andrewfn’s picture

andrewfn commented

Token Authentication module

The Token Authentication module has some overlap in use cases with URL Login, although it uses a fundamentally different security model (which makes it more suitable for some cases and less for others).

It was originally designed for providing access to RSS feeds and because of this, the security model is as follows:

  • As the page is loaded, the user is logged in
  • The page is rendered
  • Once the page is rendered, the user is logged out

In order to keep the user logged in, the authentication token must be appended to every outbound link on the page that goes to somewhere else in the site. (This is accomplished with the help of the URL Alter module.) So in any session, the user is constantly being logged in and out transparently.

Advantages

  • The advantage for this model is clear when reading single pages, such as RSS feeds. There is no need for the user to be left in a logged-in state.
  • A second advantage is that only certain page types need be exposed, limiting the security risk.

Disadvantages

  • If the user visits a page which they would normally be allowed to visit (e.g. the front page) but this page is not of the type explicitly marked for use by the TA module, then the token will be lost from the URL and the user will no longer be logged in. This means that unless great care is taken with setting up page types, a user cannot reliable explore the site without losing authentication.
  • Any page that uses AJAX for communicating with the server after the page is loaded will not authenticate. For example, file upload will not work among other things.
  • Unencrypted access tokens are stored in the database making the site more vulnerable to compromise. It is hard to avoid this with the particular security model that is used.
  • Although individual or bulk passwords can be reset, there is no mechanism for making them obsolete after a certain time. This increases the security risk and reduces the convenience of user management.
  • There is no mechanism for bulk downloading of tokens into a file for use in mass emailing (although this could be added).

Conclusions

For the original intended purpose (reading RSS feeds) this module is excellent, however as a general tool for mass email, the architecture makes it cumbersome to use.

Grayside’s picture

Grayside commented

Thank you very much for performing an in-depth review.

By implication, urllogin has the edge in your listed disadvantages? Let me respond to those points, just so the comparative state of tokenauth is clear.

  • Yes, tokenauth is not really intended for site exploration, except in a carefully configured fashion. This is a necessary compromise for the weak security model.
  • AJAX is a definite weakness. I've wondered if possibly an implementation of hook_url_inbound_alter() might be able to help.
  • Encrypting the tokens would be a doable option if a policy of showing endusers their token only once was reasonable. Facilitating this would be a decent amount of work.
  • #97820: expire tokens after x days
  • That seems straightforward.

Do you see a possibility of the projects merging to good affect, or urllogin overtaking the role of tokenauth?

andrewfn’s picture

andrewfn commented

Thanks for your comments. I think that both modules have a solid, but different, use case. I have carefully worked through the code of Token Authentication (which is very well-written) and there is very little duplication with URL Login. There would probably not be anything to be served by combining them, unless TA were to switch to the encryption model used by UL. This might be possible and could bring a performance improvement, since the database does not have to be accessed when authenticating.

Here are my thoughts on the differences between the use cases:

Which module to use?

  • If one or more of the following is true, use Token Authentication:
    1. For accessing RSS feeds.
    2. There are only a few specific pages or kinds of nodes that the user needs to see, and all menus and links that would take them to other parts of the site are hidden.
  • If one or more of the following is true, use URL Login
    1. The user should have the same experience as if they were logged in normally, and can explore the site fully.
    2. The user may enter data on the site.
    3. The links come from email and it is required to track which email message the user clicked on.
  • Security considerations
    1. If the site contains highly sensitive material or e-commerce, then probably neither module should be used, but a careful use of Token Authentication for a limited part of the site might be possible
    2. The main security risk is email being intercepted or old email being carelessly backed up or broken into. The main way to reduce this risk is to have an expiry date on the authentication data. This is much easier to achieve in URL Login.
    3. If the Drupal site were compromised, Token Authentication keeps unencrypted passwords in the database.
Grayside’s picture

Grayside commented
Status: Active » Fixed

Great summary. As far as I'm concerned we can close the issue. We should probably link it from project pages.

andrewfn’s picture

andrewfn commented

I have updated the project page and the readme file to link to this issue. Thanks for your input!

andrewfn’s picture

andrewfn commented

@Grayside
It would help my project application if you would make a comment in the issue queue: http://drupal.org/node/1071088
Thanks, Andrew

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.