How to safely deal with authentication on a web app rendered server-side?
Question
I thought of a few approaches myself:
- Use cookies. This requires CSRF protection and some logic complications as one needs to unify the cookie for both API and main domain. Also cookies seem a bit creepy regarding security overall
- Render auth-related stuff on client. Well this would work but things as simple as the navbar, which should hide SignIn/SignUp buttons when authed, is auth related. With some overview of my existing application, SSR entirely looks pointless at that point.
What is the better approach to this? Something that's secure and practical?
Edit: I would highly appreciate a comment describing the reason for downvoting. I'm providing a bounty for a definitive answer that answers questions like this and this plus a lot of issues posted on GitHub and threads posted on different framework-specific forums.
1 answers
solution1
2 2018-01-02 05:47:48
HTTP is stateless. You need to associate the client to the server somehow. The old standard method that assumes the client is dumb uses cookies for this association, which browsers automatically pass for you. It's still overall the most secure way of keeping the session - over HTTPs.
If you don't like cookies and you assume a smart client that can run code, then use tokens - preferably JWTs and place them in localstorage. Ensure you are running over HTTPs of course, and you still have to guard against XSS attacks.
That's all there is to it - head over to security.stackexchange.com to learn why trying anything custom is a bad idea.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.