Prevent phishing attacks

[macterra]

Currently a phishing site can potentially hijack a user session by forwarding the challenge to the end user, and forwarding the user's response to the real site.

[macterra]

One potential solution is that auth-demo should return an encrypted session token on a successful auth response submission. The client would then include the token in the headers to all API calls, and the server would check that against the token assigned to the session. A phishing site would be unable to decrypt the session token so can't hijack the session.

[macterra]

One potential solution is that auth-demo should return an encrypted session token on a successful auth response submission. The client would then include the token in the headers to all API calls, and the server would check that against the token assigned to the session. A phishing site would be unable to decrypt the session token so can't hijack the session.

A phishing site would be able to intercept and use the session token, so maybe the session token has to be combined with the URL so it changes with every request, or something like that? TBD