zoukankan      html  css  js  c++  java
  • [Angular] Protect The Session Id with https and http only

    For the whole signup process. we need to 

    • Hash the password to create a password digest
    • Store the user's info and password digest into db
    • Create a random sessionId to assoc with user
    • Set Session Id into cookie
    async function createUserAndSession(res, credentials) {
      // Create a password digest
      const passwordDigest = await argon2.hash(credentials.password);
      // Save into db
      const user = db.createUser(credentials.email, passwordDigest);
      // create random session id
      const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
      // link sessionId with user
      sessionStore.createSession(sessionId, user);
      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId);
      // send back to UI
      res.status(200).json({id: user.id, email: user.email});
    }
    
    -----
    
    const util = require('util');
    const crypto = require('crypto');
    
    // convert a callback based code to promise based
    export const randomBytes = util.promisify(
      crypto.randomBytes
    );
    
    
    
    -----
    
    import {Session} from './session';
    import {User} from '../src/app/model/user';
    class SessionStore {
      private sessions: {[key: string]: Session} = {};
    
      createSession(sessionId: string, user: User) {
        this.sessions[sessionId] = new Session(sessionId, user);
      }
    }
    
    // We want only global singleton
    export const sessionStore = new SessionStore();

    Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

    But the problem is that, hacker can inject some script to get our cookie by using:

    document.cookie

    It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

    document.cookie = "......"

    To protect that, we can make cookie can only be accessed by http, not JS:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
      });

    We can see that "HTTP" column was marked.

    Second, we need to enable https protect.

    To do that in server:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
        secure: true // enable https only
      });

    We also need to adjust angular cli so that app run on https:

    package.json:

    "start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
    // proxy.json
    
    {
      "/api": {
        "target": "https://localhost:9000",
        "secure": true
      }
    }

    We can see that "Secure" column now is also marked.

  • 相关阅读:
    项目总结60:Springboot集成swagger2
    ELK学习01:ELK安装
    Java深入学习16:NIO详解2-Selector
    Java深入学习15:NIO详解1-基本概念、Buffer、Channel
    Java深入学习14:Java线程池
    Java深入学习13:synchronized在静态方法和非静态方法下的同步
    Java深入学习12:线程按目标顺序执行以及Lock锁和Condiiton接口
    项目总结59:Redis分布式锁解决电商订单库存并发问题
    Java深入学习11:Lock锁详解
    Java深入学习09:URL类使用和判断图片资源是否有效
  • 原文地址:https://www.cnblogs.com/Answer1215/p/7449090.html
Copyright © 2011-2022 走看看