zoukankan      html  css  js  c++  java
  • [Angular] Protect The Session Id with https and http only

    For the whole signup process. we need to 

    • Hash the password to create a password digest
    • Store the user's info and password digest into db
    • Create a random sessionId to assoc with user
    • Set Session Id into cookie
    async function createUserAndSession(res, credentials) {
      // Create a password digest
      const passwordDigest = await argon2.hash(credentials.password);
      // Save into db
      const user = db.createUser(credentials.email, passwordDigest);
      // create random session id
      const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
      // link sessionId with user
      sessionStore.createSession(sessionId, user);
      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId);
      // send back to UI
      res.status(200).json({id: user.id, email: user.email});
    }
    
    -----
    
    const util = require('util');
    const crypto = require('crypto');
    
    // convert a callback based code to promise based
    export const randomBytes = util.promisify(
      crypto.randomBytes
    );
    
    
    
    -----
    
    import {Session} from './session';
    import {User} from '../src/app/model/user';
    class SessionStore {
      private sessions: {[key: string]: Session} = {};
    
      createSession(sessionId: string, user: User) {
        this.sessions[sessionId] = new Session(sessionId, user);
      }
    }
    
    // We want only global singleton
    export const sessionStore = new SessionStore();

    Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

    But the problem is that, hacker can inject some script to get our cookie by using:

    document.cookie

    It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

    document.cookie = "......"

    To protect that, we can make cookie can only be accessed by http, not JS:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
      });

    We can see that "HTTP" column was marked.

    Second, we need to enable https protect.

    To do that in server:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
        secure: true // enable https only
      });

    We also need to adjust angular cli so that app run on https:

    package.json:

    "start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
    // proxy.json
    
    {
      "/api": {
        "target": "https://localhost:9000",
        "secure": true
      }
    }

    We can see that "Secure" column now is also marked.

  • 相关阅读:
    微信JS SDK Demo
    微信JS SDK使用权限签名算法
    微信JS接口
    微信分享JS接口失效说明及解决方案
    微信支付开发(2) 扫码支付模式一
    不懂技术的人不要对懂技术的人说这很容易实现
    独立开发者经验分享
    微信公开课PRO版张小龙演讲全文
    RC4加密算法的原理及实现
    上传APP加入视频预览--精简点名
  • 原文地址:https://www.cnblogs.com/Answer1215/p/7449090.html
Copyright © 2011-2022 走看看