Safest way to create a WebSocket session containing user-specific data
Question
Intro
The users of our web application must log in in order to use the app. Communication uses (along the XMLHttpRequest ) the WebSocket API.
The questions
Is storing the user name + password in a
<input type="hidden">of a<form>and then sending their data values to a login script sufficiently safe? If not, what could we do here?Is it possible to store an arbitrary object (say,
class User {...}) in the WebSocket's Session such that I can type in the login script:session.setAttribute("web_app_user", user)user = (User) session.getAttribute("web_app_user")such that it is not possible to hack the web app in any way?
1 answers
solution1
0 2019-06-28 17:37:21
Generally speaking, as long as you are using WSS protocol (as opposed to WS), you are communicating with the server in a secure and encrypted manner. That said, there are a lot of different methods to further ensure safety.
I think a fairly acceptable method is sending username and password once, along with some kind of session ID that is unique to the client. If the credentials are verified acceptable by the server, just the session ID can be passed along with further calls to the server. This cuts down on the amount of times you expose a user's password.
You may want to further secure your credential verification method with some kind of cryptography algorithm such as SALT .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.