zoukankan      html  css  js  c++  java
  • [Angular] Protect The Session Id with https and http only

    For the whole signup process. we need to 

    • Hash the password to create a password digest
    • Store the user's info and password digest into db
    • Create a random sessionId to assoc with user
    • Set Session Id into cookie
    async function createUserAndSession(res, credentials) {
      // Create a password digest
      const passwordDigest = await argon2.hash(credentials.password);
      // Save into db
      const user = db.createUser(credentials.email, passwordDigest);
      // create random session id
      const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
      // link sessionId with user
      sessionStore.createSession(sessionId, user);
      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId);
      // send back to UI
      res.status(200).json({id: user.id, email: user.email});
    }
    
    -----
    
    const util = require('util');
    const crypto = require('crypto');
    
    // convert a callback based code to promise based
    export const randomBytes = util.promisify(
      crypto.randomBytes
    );
    
    
    
    -----
    
    import {Session} from './session';
    import {User} from '../src/app/model/user';
    class SessionStore {
      private sessions: {[key: string]: Session} = {};
    
      createSession(sessionId: string, user: User) {
        this.sessions[sessionId] = new Session(sessionId, user);
      }
    }
    
    // We want only global singleton
    export const sessionStore = new SessionStore();

    Now we have set the cookie, later, each request we send to the server, this cookie will be attached in the request header, we can confirm that:

    But the problem is that, hacker can inject some script to get our cookie by using:

    document.cookie

    It enables the hacker to attack our site by just set cookie in his broswer, then in each reqest, the cookie will be sent to server, cookie is the only thing which server used to verfiy the user.

    document.cookie = "......"

    To protect that, we can make cookie can only be accessed by http, not JS:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
      });

    We can see that "HTTP" column was marked.

    Second, we need to enable https protect.

    To do that in server:

      // set sessionid into cookie
      res.cookie('SESSIONID', sessionId, {
        httpOnly: true, // js cannot access cookie
        secure: true // enable https only
      });

    We also need to adjust angular cli so that app run on https:

    package.json:

    "start": "ng serve --proxy-config ./proxy.json --ssl 1 --ssl-key key.pem --ssl-cert cert.pem",
    // proxy.json
    
    {
      "/api": {
        "target": "https://localhost:9000",
        "secure": true
      }
    }

    We can see that "Secure" column now is also marked.

  • 相关阅读:
    Spring Security 3.2.x与Spring 4.0.x的Maven依赖管理
    文件下载-SpringMVC中測试
    Redhat 6.3中syslog信息丢失
    HDU2586 How far away ?(LCA模板题)
    android开机启动应用和服务
    swift 3.0基本数据语法
    swift 获取UI上某点点颜色
    Hello_IOS ios开发transform属性
    CGAffineTransformMakeTranslation和CGAffineTransform
    iOS 原生地图(MapKit、MKMapView)轨迹渐变
  • 原文地址:https://www.cnblogs.com/Answer1215/p/7449090.html
Copyright © 2011-2022 走看看