stackoom
  简体   繁体   中英

Web application : What should I send back to the user?

 原文  2015-09-03 07:36:12       javascript/ angularjs/ node.js/ rest

Question

I am writing a web application - angularJS in the frontend, REST API and mongodb as the backend. Powered by node.js.

Background to the issue :

I know I need to authenticate my users with token based authentication, and then I need to have the token be available for every new request thereafter. I also need to be able to hold onto the user ID in order to make transactions on the database later.

My main problem with that strategy, is that this means after getting the token back, I need to hold onto the token and the ID after login, and because I am building a web front end, I am storing these in localStorage.

Any user who might be malicious may choose to dump data from that store, and see what value they could change to get at other people's data, right in their browser's dev tools!

This has to be something that can be fixed, and I know some of you will have addressed this in the past. So what do we do in this scenario?

Maybe there is a way to do this in a more secure fashion? Or maybe I don't need to store them at all?

1 answers

solution1
 1 ACCPTED  2015-09-03 07:42:05

Any user who might be malicious may choose to dump data from that store, and see what value they could change to get at other people's data, right in their browser's dev tools!

Really? You should authorize requests based on user owning the access token, thus, if the whole user goes to any in-browser debugging tool and gets the token, that user will be able to do nothing more than what could do from the UI.

In the other hand, you don't need to hold an user id. That user id should be part of the access token once the whole user gets authorized in your system, and only the server should be able to work with it.

The so-called access token can be stored as an encrypted word in a Web browser cookie, which is better than local storage because cookies are being send as part of any HTTP request either regular or AJAX one (ie you don't need to include the token manually whenever you want to perform a request to your API ), and during server authorization process, you should unencrypt the token and get back its info (usually called claims ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What tools should I use to create a tutorial for my web application? How can I send cookies of a Web Api back to it from a different front-end application What should I do to add the shortcut keys in Web Application and Web Sites? What approach should one take to implement onboading in a web application? I need to send an alert back to the user when there is no records found Should I send user tweet from browser side or server side? What event handler should i use for modal form to send an email Should I build my simple web application before launching it? How should I go about localising an existing JavaScript web application? What should I do to use a specific font in my web app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM