在会话/历史记录中存储用户数据是否安全?reactjs
[英]is it safe to store users data in the session/history reactjs
问题描述
I took over this react application from an old developer, and I'm not super familiar with the way react works, but I never, in my life, have stored user's data in the history of the session.
我从一位老开发人员那里接手了这个 React 应用程序,我对 React 的工作方式不是很熟悉,但在我的生活中,我从来没有将用户的数据存储在 session 的历史记录中。 I notice he is doing just that, which freaks me out a bit:我注意到他正在这样做,这让我有点害怕:
const {
history,
} = this.props
AuthorizationHome.doCreateUserWithEmailAndPassword(email, passwordOne)
.then((authUser) => facades.userFacade().doCreateUser(authUser.user.uid, email, name, companyName))
.then(() => {
history.push(routes.HOME)
})
is it actually safe to be doing this, or should I be storing in a DB and querying the data each time it's needed?这样做实际上是否安全,或者我应该存储在数据库中并在每次需要时查询数据? I've always just either stored the user's data in the DB and queried it through my server-side code, or passed the data to my backend and manipulated it safely through there.我总是要么将用户的数据存储在数据库中并通过我的服务器端代码进行查询,要么将数据传递到我的后端并在那里安全地操作它。 please let me know!请告诉我!
3 个解决方案
解决方案1
1 已采纳 2021-03-13 17:07:16
It's based the type project your working on.它基于您从事的类型项目。 If it's banking or it deals with any sensitive data and public usage application please avoid saving passwords in the on page login.如果是银行业务或处理任何敏感数据和公共使用应用程序,请避免在页面登录中保存密码。 It's better to user authentication session based on the project requirement.最好根据项目需要进行用户认证session。
解决方案2
1 2021-03-13 17:33:29
Yes this data stays persistent as long as the page is not navigated or routed to same page with other data.是的,只要页面没有被导航或路由到与其他数据相同的页面,这些数据就会保持不变。
解决方案3
0 2021-03-13 17:18:56
No it isn't safe, as if someone gets access of the client's computurer, they could retrieve the credentials and possibly have lifetime access to their account.不,这不安全,就好像有人可以访问客户的计算机一样,他们可以检索凭据并可能终身访问他们的帐户。 Even with encryption, it isn't good to store username and password locally.即使使用加密,在本地存储用户名和密码也不好。
What you could do is implement JWT with short-lived tokens then encrypt them and store them locally (or use cookie based jwts but beware of csrf exploits).你可以做的是用短期令牌实现 JWT 然后加密它们并将它们存储在本地(或使用基于 cookie 的 jwts,但要注意 csrf 漏洞利用)。 That way, if a client's tokens were stolen, the tokens could expire after a while, or if you detect they have been comprimised, revoke the tokens without having the client change their password.这样,如果客户的令牌被盗,令牌可能会在一段时间后过期,或者如果您检测到它们已被盗用,则无需客户端更改密码即可撤销令牌。
You could also ask the user for a pin to use to encrypt and store their credentials locally, then when they open a new page/session, ask them for it to decrypt the stored data.您还可以要求用户提供用于在本地加密和存储其凭据的 pin,然后当他们打开新页面/会话时,要求他们使用它来解密存储的数据。 I would advice against this, since the client can use simple pins such as 1-2-3-4 and instead of having them use longer pins/codes, just have them directly re-enter their passwords我建议不要这样做,因为客户可以使用简单的密码,例如 1-2-3-4,而不是让他们使用更长的密码/密码,只需让他们直接重新输入密码
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.