Angular.js app - api secruity
Question
We are currently making and angular based app. All info comes from an api.
We don't want to store any state on the client side with cookies etc. So when a user refreshes the app, we had planned to call /account/details which will return the user object if logged in, false not.
The trouble is, the security model we have used is that we set an auth-token (returned as part of the user object from the above /account/details or successful /login call) that is sent in the header of any api request.
The api checks that this auth-token sent in the header matches what's in the logged-in-users table and sends back the data if there is a match.
Obviously, the problem is, on refresh we aren't saving anything client side so don't have this auth-token to send any more.
The api, as it's on the same domain sets a php session cookie. We were thinking that for this account/details call only we could match the session cookie value against the logged-in-users table. However this sounds dodgy to us. Would this be ok? Or is there another much simpler way to overcome this chicken and egg situation?
1 answers
solution1
2 ACCPTED 2013-09-19 03:24:05
You may consider having the application use sessionStorage to store the authentication token. This has the advantages of the cookie you're looking for, but is maintained by JavaScript and is not automatically sent to the server.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.