堆栈内存溢出
  简体   繁体   English

sessionStorage中的密码

[英]Password in sessionStorage

 原文  2014-10-17 19:00:27       javascript/ html5/ sessionstorage

问题描述

I have a single-page AngularJS app, and authenticate my website via websockets using no cookies. 我有一个单页AngularJS应用程序,并且不使用cookie通过websockets对我的网站进行身份验证。 This means a refresh logs the user out. 这意味着刷新将使用户注销。 How bad is it to store the password on sessionStorage, so they can refresh during the session? 将密码存储在sessionStorage上有多糟糕,以便它们可以在会话期间刷新? (The username will be in localStorage, and I don't want the full login to persist between sessions). (用户名将位于localStorage中,并且我不希望完整的登录在会话之间得以保留)。

Thanks! 谢谢!

EDIT: 编辑:

What I'm more interested in is if there are there any actual security risks for storing in such a way. 我更感兴趣的是,以这种方式存储是否存在任何实际的安全风险。 Is it any less secure than how Chrome stores passwords in plaintext, or how cookies are unencrypted? 是否比Chrome以明文形式存储密码或未加密Cookie的方式安全性低?

3 个解决方案

解决方案1
 1  2014-10-17 19:03:57

Are you trying to avoid localstorage, or just cookies? 您是要避免本地存储,还是只是避免使用cookie?

You could store a session ID in the session storage, and authenticate the user using that, under no circumstances would I store a users password cleartext though. 您可以将会话ID存储在会话存储中,并使用该ID验证用户身份,但在任何情况下我都不会存储用户密码明文。

解决方案2
 0  2014-10-17 19:12:35

I don't think you'd want to store the password. 我认为您不想存储密码。 You could generate a session token and store that in the sessionStorage. 您可以生成一个会话令牌并将其存储在sessionStorage中。 Anyway, if you come to store the password itself, don't store it as plain text. 无论如何,如果您要自己存储密码,请不要将其存储为纯文本格式。

解决方案3
 0  2014-10-17 20:04:36

What you want to do is... create some hash on your server, and save it on the localStorage. 您要做的是...在服务器上创建一些哈希,然后将其保存在localStorage上。

Send this hash on each request, and the server should validate/handle it, and respond with the appropriate credentials. 在每个请求上发送此哈希,服务器应验证/处理它,并使用适当的凭据进行响应。

But that is also 'not as secure as you may want it to be', so... you can change the hash every x minutes, or have it time out after X minutes of innactivity. 但这也“不如您希望的那样安全”,因此...您可以每隔X分钟更改一次哈希,或者在X分钟无活动后使哈希超时。

Never store plain text passwords, and never include your hashing algorithm on the client side. 永远不要存储纯文本密码,也不要在客户端包含哈希算法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 sessionStorage到期 - Expiry of sessionStorage SessionStorage导航 - SessionStorage Navigation sessionStorage注册 - sessionStorage registration iframe 中的 sessionStorage - sessionStorage in iframe Firefox中的sessionStorage - sessionStorage in Firefox $ sessionStorage以及如何在AngularJs中查看和使用$ sessionStorage - $sessionStorage and how to view and work with $sessionStorage in AngularJs sessionStorage在IE和Chrome中不起作用 - sessionStorage not working in IE and Chrome 具有document.domain的sessionStorage - sessionStorage with document.domain 错误:sessionStorage中的[$ injector:unpr] - Error: [$injector:unpr] in sessionStorage sessionStorage和Google Maps - sessionStorage and Google Maps
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM