[英]How to safely deal with authentication on a web app rendered server-side?
I thought of a few approaches myself: 我自己想到了一些方法:
What is the better approach to this? 有什么更好的方法呢? Something that's secure and practical?
安全和实用的东西吗?
Edit: I would highly appreciate a comment describing the reason for downvoting.
编辑:我非常感谢描述下降投票理由的评论。 I'm providing a bounty for a definitive answer that answers questions like this and this plus a lot of issues posted on GitHub and threads posted on different framework-specific forums.
我为回答这样的问题一个明确的答案提供赏金这个和这个加了很多张贴在GitHub上,并张贴在不同的特定框架的论坛主题的问题。
HTTP is stateless. HTTP是无状态的。 You need to associate the client to the server somehow.
您需要以某种方式将客户端与服务器关联。 The old standard method that assumes the client is dumb uses cookies for this association, which browsers automatically pass for you.
假定客户端是愚蠢的旧标准方法使用cookie进行此关联,浏览器会自动为您传递。 It's still overall the most secure way of keeping the session - over HTTPs.
总体而言,它仍然是通过HTTP保持会话的最安全方式。
If you don't like cookies and you assume a smart client that can run code, then use tokens - preferably JWTs and place them in localstorage. 如果您不喜欢Cookie,并且假定您可以运行代码的智能客户端,则可以使用令牌-最好是JWT,并将其放在本地存储中。 Ensure you are running over HTTPs of course, and you still have to guard against XSS attacks.
当然,请确保您正在通过HTTP运行,并且仍然必须防范XSS攻击。
That's all there is to it - head over to security.stackexchange.com to learn why trying anything custom is a bad idea. 这就是全部内容-前往security.stackexchange.com了解为什么尝试任何自定义都是一个坏主意。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.