[英]Safest way to create a WebSocket session containing user-specific data
Intro 介绍
The users of our web application must log in in order to use the app. 我们的Web应用程序的用户必须登录才能使用该应用程序。 Communication uses (along the
XMLHttpRequest
) the WebSocket API. 通信使用
XMLHttpRequest
和WebHttp API。
The questions 问题
Is storing the user name + password in a <input type="hidden">
of a <form>
and then sending their data values to a login script sufficiently safe? 将用户名和密码存储在
<form>
的<input type="hidden">
中,然后将其数据值发送到登录脚本是否足够安全? If not, what could we do here? 如果没有,我们在这里可以做什么?
Is it possible to store an arbitrary object (say, class User {...}
) in the WebSocket's Session such that I can type in the login script: 是否可以在WebSocket的Session中存储任意对象(例如,
class User {...}
),以便我可以输入登录脚本:
session.setAttribute("web_app_user", user)
user = (User) session.getAttribute("web_app_user")
such that it is not possible to hack the web app in any way? 这样就不可能以任何方式入侵网络应用程序?
Generally speaking, as long as you are using WSS protocol (as opposed to WS), you are communicating with the server in a secure and encrypted manner. 一般来说,只要您使用的是WSS协议(而不是WS),就可以以安全和加密的方式与服务器进行通信。 That said, there are a lot of different methods to further ensure safety.
也就是说,有很多不同的方法可以进一步确保安全。
I think a fairly acceptable method is sending username and password once, along with some kind of session ID that is unique to the client. 我认为一种相当可接受的方法是一次发送用户名和密码,以及某种客户端唯一的会话ID。 If the credentials are verified acceptable by the server, just the session ID can be passed along with further calls to the server.
如果凭据被服务器验证为可接受,则仅会话ID可以与其他调用一起传递给服务器。 This cuts down on the amount of times you expose a user's password.
这样可以减少您暴露用户密码的时间。
You may want to further secure your credential verification method with some kind of cryptography algorithm such as SALT . 您可能希望使用某种加密算法(例如SALT)进一步保护您的凭据验证方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.