Disabling token acquisition through HTTP GET requests

When using ArcGIS token-based authentication, you can acquire a token through an HTTP GET request. Although this is a convenient method of acquiring a token, a user's credentials are provided as part of the URL and may be stored in browser history or in network components.

If you are concerned about the security implications of acquiring a token through an HTTP GET request, you can disable this feature by following the steps below.

Steps:
  1. Log in to the ArcGIS Server Administrator Directory. The URL is formatted http://gisserver.domain.com:6080/arcgis/admin.
  2. Click security > tokens > update.
  3. In the Token Manager Configuration dialog box, add a comma (,) to the end of the "shortTimeout": "60" property.
  4. Add "allowHttpGet": "false" to the end of the list of existing property values, for example,

    {
  "type": "BUILTIN",
  "properties": {
    "longTimeout": "1440",
    "sharedKey": "VYHyatfGUlFWHgnAVMEc40nL1rn7s+l190vtgMjCx3c=",
    "shortTimeout": "60",
    "allowHttpGet": "false"
  }
}

  5. Click Update.
Copyright © 1995-2015 Esri. All rights reserved.
9/1/2015